Reputation: 1
Azure Service Principal rotation (Graph API permission to managed identity)
My end goal is to be able to rotate SPN secrets and add the new secret to Keyvault. I thought of using Azure Automation account runbooks to do it. However, I think the managed identity of the automation account must have the graph API permission to readwrite applications (owned or all) Currently I am not sure if there is any way to provide graph API permission to Managed Identity's Enterprise Application via portal, I have the powershell script to do it. Is there any other way to achieve the spn rotation without graph API admin consent? Will giving Azure AD built in role of application administrator do the same job as Graph API permission or I am missing something. Is there a better way to manage SPN creation and secret rotation?
I tried logging in via runbook using managed identity but it doesn't have enough permissions to create or manage app registrations
Upvotes: 0
Views: 795
Answers (1)
Reputation: 14326
Assigning the managed identity's service principal the "Application Administrator" directory role (possible through the portal), and granting it the Microsoft Graph app role "Application.ReadWrite.All" (possible only through API/PowerShell) both result in the managed identity having almost identical privileges.
Keep in mind that both of these approaches are extremely high privilege, as they allow effectively "taking over" an app identity which might be granted privileged access. I recommend you treat both almost like you're granting the managed identity (and everyone who is in a position to authenticate using that managed identity) as if they were Global Administrator and had full access to all your M365 and Azure environments.
Instead, you might want to consider a couple alternatives:
- Assign the managed identity's service principal the "Application Administrator" directory role at the scope of the individual target application and service principals (not tenant-wide).
- Grant the managed identity's service principal the Microsoft Graph app role (application permission) Application.ReadWrite.OwnedBy (e.g. using PowerShell), and make it owner of each of the target application and service principals
Upvotes: 0
Related Questions
- Azure Automation Runbook: Connect-AzAccount Error using Managed Identity
- Do I need to assign EntraID (AzureAD) Roles AND Graph API permissions to an Automation Account Managed Identity?
- List Managed Identities that have access to the ExchangeOnline.ManageAsApp API
- Errors using Azure Managed Identity to connect to Azure Automation from VS Code
- Azure Automation Account MAnaged Identity and New-MgServicePrincipalAppRoleAssignment
- Use Managed Identity with Azure B2C Directly or with KeyVault
- Using Managed Identity to Access Azure OpenAI Service
- Azure Automation Account using Managed Identity across Multiple subscription
- Connect to SharePoint and outlook using Azure Service principal/managed identity
- Which one to use with my API App, is it Managed Identity or Azure AD Service Principal