Reputation: 319
Give Managed Identity permission to create app registration in Azure AD via ARM Template Deployment Script
What we are trying to accomplish:
We are using Azure ARM Templates to deploy new applications. When we deploy these new applications, we need to register them with our Azure AD for authentication purposes. We would like to include this app registration in our template along with the deployment of the application resources.
It looks like Azure Deployment Scripts are the way to register new apps with Azure AD in our ARM template. In our Deployment Script, the "scriptContent" I am attempting to run is simply az ad app create --display-name ${appName}
The Problem
Permissions. We are getting DeploymentScriptError: Insufficient privileges to complete the operation. I proceeded to create a Managed Identity and added az login --identity -u ${managedIdentityId} at the beggining of the script but the same error persisted. It seems the managed identity does not have permission to create an app registration and I am unsure how to give it this permission
I found this article which provides a PowerShell script for granting the necessary permissions to the managed identity, however, the author does not explain what "GraphAppId" is or where it is coming from.
Any help with this would be tremendously appreciated
We are pretty new to ARM templates but this is what we currently have:
main.bicep
targetScope = 'subscription'
param location string = 'eastus'
resource myResourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
name: 'rg-test1'
location: location
}
resource managedId 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = {
name: 'mi-deployscripttest'
scope: resourceGroup('DefaultResourceGroup-EUS')
}
module deploymentScript 'modules/deploymentScript.bicep' = {
scope: myResourceGroup
name: 'deploymentScript'
params: {
appName: 'testApp1'
location: location
managedIdentityId: managedId.id
managedIdentityPrincipalId: managedId.properties.principalId
}
}
deploymentScript.bicep
param location string
param appName string
param managedIdentityId string
param managedIdentityPrincipalId string
var scriptContent = format('''
az login --identity -u {0}
az ad app create --display-name {1}
''', managedIdentityId, appName)
resource deploymentScriptRoleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
name: guid('basicDeploymentScriptDefinition')
properties: {
roleName: 'deployment-script-minimum-privilege-for-deployment-principal'
description: 'Configure least privilege for the deployment principal in deployment script'
type: 'customRole'
permissions: [
{
actions: [
'Microsoft.Storage/storageAccounts/*'
'Microsoft.ContainerInstance/containerGroups/*'
'Microsoft.Resources/deployments/*'
'Microsoft.Resources/deploymentScripts/*'
'Microsoft.Storage/register/action'
]
}
]
assignableScopes: [
resourceGroup().id
]
}
}
resource deploymentScriptRoleAssignment 'Microsoft.Authorization/roleAssignments@2015-07-01' = {
name: guid('basicDeploymentScriptAssignment')
properties: {
principalId: managedIdentityPrincipalId
roleDefinitionId: deploymentScriptRoleDefinition.id
}
}
resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
name: 'deploymentScriptTest1'
location: location
kind: 'AzureCLI'
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${managedIdentityId}': {}
}
}
properties: {
azCliVersion: '2.9.1'
retentionInterval: 'P1D'
scriptContent: scriptContent
cleanupPreference: 'Always'
}
dependsOn: [
deploymentScriptRoleAssignment
]
}
Upvotes: 2
Views: 1846
Answers (1)
Reputation: 1864
To find the ClientID/AppID, you need to check the request being sent to https://login.microsoftonline.com for authentication. ClientID/AppID is sent as a parameter in the request url as highlighted in sample request below:
To add required permissions in the token, you need to first copy the Client ID (aka App ID) that you are using in your request to get the Access Token and then navigate to:
Azure Portal > Azure Active Directory > App Registration > All Applications > Search with the ClientID/AppID copied earlier
In that application Navigate to:
Api Permissions > Add a permission > Microsoft Graph > Delegated permissions > Expand User > Select required permissions as shown below. Once the permissions are added, click on Grant Admin Consent for your_tenant button.
You can refer to Insufficient privileges to complete the operation" while using Graph API, Calling your APIs with Azure AD Managed Service Identity using application permissions and az ad app permission add - Insufficient privileges to complete the operation
Upvotes: 2
Related Questions
- Is automating App Registration on Azure possible through ARM Template on the User's tenant?
- how can I create user assigned identity and system assign identity with arm template on a app service
- Insufficient permissions for deploying ARM template using Python SDK
- How to deploy ARM template with user managed identity and assign a subscription level role?
- How to assign an application role to a managed identity in the ARM template
- Configuration Authentication with Azure AD for Azure App Service with ARM template
- Azure App registration: "Delegated permission" is disabled
- How to use ARM templates to deploy a roleAssignment for an App Registration Service Principal?
- Is it possible to configure api permission to Azure Active Directory app using ARM Template
- Azure CLI Create AD App with AllowImplicit