Adding write permission for creating Resource Groups to an Azure Active Directory Application

7
votes

I have a C# application that will create Resource Groups. I'm using the ResourceManagementClient to create the resource group (which I assume is just a wrapper for their REST API). I'm using an Azure AD application's Client ID and Client Secret to authenticate.

I'm getting this error:

{"The client 'xxxx' with object id 'xxxx' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/xxxx/resourcegroups/test-resource-group'."}

Is there a way I can give this permission at the subscription level to an Azure AD application?

2
azureazure-active-directory

2 Answers

6
votes

The steps to configure this are:

  1. Register application in Azure AD (sounds like you've already done this)
  2. Create corresponding service principal for your application (this may or may not have been done automatically when you registered the application - it depends on the method you used for registration)
  3. Assign the service principal RBAC access to the subscription(s).

The steps are described in detail here.

I believe you'll need to assign your service principal the Contributor role to enable resource group creation.

0
votes

You can also use the Azure CLI, which allows you to automate the task of creating a service principal. I did the following (from here):

  1. Install for your platform
  2. run az login to log into Azure w/your intended account
  3. run az ad sp create-for-rbac to create an Azure Active Directory Application with access to Azure Resource Manager for the current Azure Subscription
  4. You can fetch the subscription ID in which the Service Principal was created using: az account list --query "[?isDefault].id" -o tsv

I wrote this code in a gist for macOS here