Reputation: 27
Azure manage App Registration secrets API using a Service Principal user
Context
I'm implementing a service to rotate the secrets of the service principals. The authenticated user must be a Service Principal and it can only update the secrets from specifics service principals of my organization.
Ex.:
- Service Principal: aadapp-manage -> this is the authenticated service principal
- Service Principal: aadapp-user-01 -> this is a specifc SP that aadapp-manage can manage its secrets
- Service Principal: aadapp-user-02 -> this is a specifc SP that aadapp-manage can manage its secrets
- Service Principal: aadapp-user-03 -> this SP CANNOT be have its secrets modified by the aadapp-manage SP.
What I did
- Created an AD Role named
Got-ManagedSecrets-Roleand assign the microsoft.directory/servicePrincipals/synchronizationCredentials/manage permission. Then, within the PIM, I assigned - Created an AD Group named
aadgrp-managed-secretsand added the SPsaadapp-user-01andaadapp-user-02. - Underneath PIM, created an assignment with the following entries:
- Role: Got-ManagedSecrets-Role
- Scope: Group
- Selected Scope: aadapp-manage
- Selected Application: aadgrp-managed-secrets
I granted Delegated / Application.ReadWrite.All, one of the required permission described in the MS Docs, but this is not useful when I want to restrict the SP that my authenticated user can do.
Source: https://learn.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=http
Test Cases
HTTP Request 01
Validate if aadapp-managed-secrets SP can generate a secret for aadapp-user-01. Expeccted result: YES
POST /v1.0/applications(appId='[USER-01-ID]')/addPassword HTTP/1.1
Host: graph.microsoft.com
Content-Type: application/json
Authorization: Bearer [TOKEN]
Content-Length: 96
{
"passwordCredential": {
"displayName": "New Secret"
}
}
Response
Status: OK (new secret generated)
HTTP Request 02
Validate if aadapp-managed-secrets SP can generate a secret for aadapp-user-02. Expeccted result: YES
POST /v1.0/applications(appId='[USER-02-ID]')/addPassword HTTP/1.1
Host: graph.microsoft.com
Content-Type: application/json
Authorization: Bearer [TOKEN]
Content-Length: 96
{
"passwordCredential": {
"displayName": "New Secret"
}
}
Response
Status: OK (new secret generated)
HTTP Request 03
Validate if aadapp-managed-secrets SP CANNOT generate a secret for aadapp-user-03. Expeccted result: NO
POST /v1.0/applications(appId='[USER-03-ID]')/addPassword HTTP/1.1
Host: graph.microsoft.com
Content-Type: application/json
Authorization: Bearer [TOKEN]
Content-Length: 96
{
"passwordCredential": {
"displayName": "New Secret"
}
}
Response
Status: OK (new secret generated). At this point, my test failed.
Problem
Given that (at least what I thought) I setup the Role and the assignment, it seems that the Graph API step through those securities concerns.
Any thoughts?
Upvotes: 0
Views: 628
Answers (1)
Reputation: 16054
Note that,
microsoft.directory/servicePrincipals/credentials/update,microsoft.directory/applications/credentials/updateandmicrosoft.directory/servicePrincipals/synchronizationCredentials/managepermissions are required to create secrets for Service principal.
I created four Azure AD Applications like below:
And created a group aadgrp-managed-secrets and added Service Principals as members:
Now, created a custom role and assigned to the group as scope and aadgrp-managed-secrets as member:
I generated access token for aadapp-manage like below:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials
When I tried to create secret for aadapp-user-03, it got created, but it shouldn't be the case:
POST https://graph.microsoft.com/v1.0/applications/{id}/addPassword
Content-type: application/json
{
"passwordCredential": {
"displayName": "Password friendly name"
}
}
Note that: As you granted Admin consent to the API permission Application.ReadWrite.All of the Application aadapp-manage, it is not possible to restrict the application to stop creating the secrets for aadapp-user-03. The Application can create secrets for all the applications in the tenant. The Graph API permission is allowing the Application to create secrets through those security concerns.
Reference:
Custom role permissions for app registration - Microsoft Entra
Upvotes: 0
Related Questions
- Retrieve App Owners from Azure Portal App Registration using Microsoft Graph API and REST Method
- The identity of the calling application could not be established while I try to create a new user using Graph API In Azure
- Register an Application in Azure AD using the graph API
- How do I give an App Registration permission to access Azure KeyVault?
- Terraform - Trying to create resources in Azure with service principal and pulling that SPs key from keyvault
- Azure service principal: Grant an appRoleAssignment for a service principal does update the original permission's status
- Azure Pipeline connect to SQL DB using service principal
- Authenticate via Service Principal to Azure HTTP Function - No "identity_token" returned with client_credentials flow
- Azure AD authentication for node.js REST endpoint with Service Principal and Secret
- Azure analysis service connection using Service principal not working