CODEWITHSUNDEEP
azureazure-active-directoryazureservicebusazure-servicebus-queues
Eric Eskildsen
Eric Eskildsen

Reputation: 4759

Using IAM for Azure Service Bus, how can I assign a role to an application?

Background

I want to give an application ownership of several of my Azure Service Bus queues ... specifically, by granting it the Azure Service Bus Data Owner role.

The Azure Service Bus documentation says this is possible:

Azure Service Bus supports using Azure Active Directory (Azure AD) to authorize requests to Service Bus entities (queues, topics, subscriptions, or filters). With Azure AD, you can use role-based access control (RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal [my emphasis].

(Source)

However, I can't find a way to do it.

What I've Tried

  1. Registered the application in Azure AD.
  2. Granted the application the user_impersonation permission on Microsoft.ServiceBus. (Application permissions is disabled [1], so I selected Delegated permissions and checked user_impersonation [2]. No idea if that's right. I posted another question a while ago about Application permissions being disabled, but the accepted answer of editing the manifest doesn't work in this case.) enter image description here
  3. In my Service Bus queue, selected Role assignments.
  4. Clicked Add.
  5. Searched for my application.

Issue

My application doesn't appear in the search results in Role assignments.

Upvotes: 1

Views: 3179

Answers (1)

Philippe Signoret
Philippe Signoret

Reputation: 14336

A service principal is the instance of an application in a given tenant. (Multi-tenant applications can have service principals in many tenants, all referring back to a single app registration.)

To grant an Azure role to an application, a service principal must first exist in the tenant. To check if the service principal for an app registration already exists in the same tenant where the app is registered (and create it if it doesn't):

Using the Azure portal:

  1. Navigate to Azure AD > App registrations > (app) > Overview
  2. Under the Managed application in local directory heading:
    • If you see a link with the name of the app, the service principal already exists.
    • If you see a "Create service principal" link, clicking it will attempt to create the service principal.

Using Azure CLI:

az ad sp show --id {app-id}
az ad sp create --id {app-id}

Using Azure AD PowerShell:

Get-AzureADServicePrincipal -Filter "appId eq '{app-id}'"
New-AzureADServicePrincipal -AppId "{app-id}"

Upvotes: 1

Related Questions