How to properly authorize Azure user account so that it can create a Service Principal?

1
votes

Our product is a SaaS monitoring product for Azure (CloudMonix). One of the ways that it connects to customers' Azure subscriptions via ARM API is by creating a Service Principal authorized against our AD application.

We used this article in order to enable this authorization and all works wonderfuly: https://azure.microsoft.com/en-us/documentation/articles/resource-manager-api-authentication/

The issue is, often our users do not have access to the super-admin account that was originally used to create the subscription. They have their own "co-administrator" accounts. What extra permissions do these users need to have, in order to consent for our AD app to access their AD? Where do they add these permissions in either of the two Azure portals?

TIA

1
azureazure-active-directoryazure-ad-graph-apiazure-management-api

1 Answers

1
votes

In order to consent to applications that require admin permissions the user needs to have the "Global Admin (GA)" role in the Azure AD tenant. This is different from having the service administrator or co-administrator roles in an Azure Subscription.

Only existing GAs can grant another user GA rights. This means that if your user is unable to perform admin consent, they also won't be able to make themselves Azure AD GAs. The most likely solution to your scenario is to have the user contact their IT department or whoever setup the Azure AD tenant or O365 and ask them to consent to the application with their GA credentials. Once the admin consents to the application, because they're doing it as administrators, consent will be applied on behalf of all users, and as a result no other user will need to consent to the application after that.

See the article below for more details around the relationship between Azure AD and Azure subscriptions: https://blogs.technet.microsoft.com/ad/2016/02/26/azure-ad-mailbag-azure-subscriptions-and-azure-ad-2/

And just in case you still want instructions on how to make someone a global admin in Azure AD, here's the instructions for that: - From https://azure.microsoft.com/en-us/documentation/articles/active-directory-assign-admin-roles/

  1. In the Azure classic portal, click Active Directory, and then click the name of your organization’s directory.
  2. On the Users page, click the display name of the user you want to edit.
  3. In the Organizational Role list, select the administrator role that you want to assign to this user, or select User if you want to remove an existing administrator role.
  4. In the Alternate Email Address box, type an email address. This email address is used for important notifications, including password self-reset, so the user must be able to access the email account whether or not the user can access Azure.
  5. Select Allow or Block to specify whether to allow the user to sign in and access services.
  6. Specify a location from the Usage Location drop-down list.
  7. When you have finished, click Save