How to set permission for Azure Active directory application in Azure DataLake Store using powershell commands

Question

Hi,

I am trying to set the AAD(Azure Active Directory) application permission(read/write/execute & other settings) in ADLS(Azure DataLakeStore) using powershell commands.

I tried using below powershell command:

Set-AzureRmDataLakeStoreItemAclEntry -AccountName "adls" -Path / -AceType User -Id (Get-AzureRmADApplication -ApplicationId 490eee0-2ee1-51ee-88er-0f53aerer7b).ApplicationId -Permissions All

But this command sets/displays the ApplicationId under "Access" properties in ADLS with only read/write/execute access. But this setting are not correct as I perform Manual steps of Service Authentication in ADLS.

Is there any other way to set permissions of AAD application in ADLS?

Answer 1

You need to set the ObjectId (not the application id) as the Id parameter to Set-AzureRmDataLakeStoreItemAclEntry

Set-AzureRmDataLakeStoreItemAclEntry -AccountName "adls" -Path / -AceType User -Id (Get-AzureRmADApplication -ApplicationId 490eee0-2ee1-51ee-88er-0f53aerer7b).Id -Permissions All

Answer 2

The parameter User of Set-AzureRmDataLakeStoreItemAclEntry commands should be the object ID of the AzureActive Directory user, group, or service principal for which to modify an ACE.

You can refer the command below to assign the permission:

Set-AzureRmDataLakeStoreItemAclEntry -AccountName "accountName" -Path / -AceType User -Id
(Get-AzureRmADServicePrincipal -ServicePrincipalName "{applicationId}").Id -Permissions All

More detail about this command, you can refer link below:

Set-AzureRmDataLakeStoreItemAclEntry