Execute Get-AzureRmRoleAssignment as Service Principal in Azure Powershell

1
votes

On my MSDN Azure subscription, logged in after executing Login-AzureRMAccount, I can execute Get-AzureRmRoleAssignment without a problem.

I created an application and service Principal with a role in Azure with powershell (New-AzureRmADApplication, New-AzureRmADServicePrincipal & New-AzureRmRoleAssignment) and after logging in with those credentials with this powershell:

$psCredential = New-Object System.Management.Automation.PSCredential("98349834-8494-4813-9282-4343434", (ConvertTo-SecureString "myPassword" -AsPlainText -Force))
Add-AzureRMAccount -ServicePrincipal -Tenant "123456-d5bb-44f8-a283-34534434" -Credential $psCredential

the following can be executed successful:

Get-AzureRmADApplication -IdentifierUri "http://SP.5656645-408c-4980-950e-898989"

but when executing

Get-AzureRmRoleAssignment -debug

I'm getting the following exception:

Microsoft.Rest.Azure.CloudException: Access denied to the specified API version

Seems like many people have this exception and I've read a lot of solutions like giving access in the azure portal, (but nothing seems to work): Also after giving the application the following permissions, the exception is raised still:

  • Windows Azure Active Directory 6 application permissions - 6 delegated permissions (not able to select them all, only where Requires Admin=Yes)
  • Microsoft Graph - 20 application permissions - 20 delegated permissions (also not able to select them all)

What should I do to let the Service Principal execute Get-AzureRmRoleAssignment?

edit: The application has the role Owner. I've used the following ps script to create the application, service principal and role. 

param
(
    [Parameter(Mandatory=$true, HelpMessage="Enter Azure Subscription name. You need to be Subscription Admin to execute the script")]
    [string] $subscriptionName,

    [Parameter(Mandatory=$true, HelpMessage="Provide a password for SPN application that you would create")]
    [string] $password,    
Mandatory=$false, HelpMessage="Provide a SPN role assignment")]
    [string] $spnRole = "owner"
)

#Initialize
$ErrorActionPreference = "Stop"
$VerbosePreference = "SilentlyContinue"
$userName = $env:USERNAME
$newguid = [guid]::NewGuid()
$displayName = [String]::Format("SP.{0}.{1}", $resourceGroupName, $newguid)
$homePage = "http://" + $displayName
$identifierUri = $homePage


#Initialize subscription
$isAzureModulePresent = Get-Module -Name AzureRM* -ListAvailable
if ([String]::IsNullOrEmpty($isAzureModulePresent) -eq $true)
{
    Write-Output "Script requires AzureRM modules to be present. Obtain AzureRM from https://github.com/Azure/azure-powershell/releases. Please refer https://github.com/Microsoft/vsts-tasks/blob/master/Tasks/DeployAzureResourceGroup/README.md for recommended AzureRM versions." -Verbose
    return
}

Import-Module -Name AzureRM.Profile
Write-Output "Provide your credentials to access Azure subscription $subscriptionName" -Verbose
Login-AzureRmAccount -SubscriptionName $subscriptionName
$azureSubscription = Get-AzureRmSubscription -SubscriptionName $subscriptionName
$connectionName = $azureSubscription.SubscriptionName
$tenantId = $azureSubscription.TenantId
$id = $azureSubscription.SubscriptionId


#Create a new AD Application
Write-Output "Creating a new Application in AAD (App URI - $identifierUri)" -Verbose
$azureAdApplication = New-AzureRmADApplication -DisplayName $displayName -HomePage $homePage -IdentifierUris $identifierUri -Password $password -Verbose
$appId = $azureAdApplication.ApplicationId
Write-Output "Azure AAD Application creation completed successfully (Application Id: $appId)" -Verbose


#Create new SPN
Write-Output "Creating a new SPN" -Verbose
$spn = New-AzureRmADServicePrincipal -ApplicationId $appId
$spnName = $spn.ServicePrincipalNames
Write-Output "SPN creation completed successfully (SPN Name: $spnName)" -Verbose


#Assign role to SPN
Write-Output "Waiting for SPN creation to reflect in Directory before Role assignment"
Start-Sleep 20
Write-Output "Assigning role ($spnRole) to SPN App ($appId)" -Verbose
New-AzureRmRoleAssignment -RoleDefinitionName $spnRole -ServicePrincipalName $appId 
Write-Output "SPN role assignment completed successfully" -Verbose


#Print the values
Write-Output "`nCopy and Paste below values for Service Connection" -Verbose
Write-Output "***************************************************************************"
Write-Output "Connection Name: $connectionName(SPN)"
Write-Output "Subscription Id: $id"
Write-Output "Subscription Name: $connectionName"
Write-Output "Service Principal Id: $appId"
Write-Output "Service Principal key: <Password that you typed in>"
Write-Output "Tenant Id: $tenantId"
Write-Output "***************************************************************************"
1
powershellazureazure-powershell
Which Azure PowerShell version are you using? I am able to run Get-AzureRmRoleAssignment -debug without issuejuvchan
Version 5.1.14393.693. The AzureRM version is 3.6Pascal Naber
I've tried it on multiple development PC's without success. Are you able to execute Get-AzureRmRoleAssignment -debug after logging in as Service Principal? (like the powershell above?)Pascal Naber

1 Answers

1
votes

To do that, you need to assign permission to do that ;) The permission is called Microsoft.Authorization/roleAssignments/read, you can get a list of permissions with Get-AzureRmProviderOperation Microsoft.Authorization/*, to assign permissions you need to create a custom role definition and assign it, or use one of the built in roles.

https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles

I can confirm that this happens only from powershell (the funniest thing is - Get-AzureRmRoleDefinition works, while Get-AzureRmRoleAssignment doesn't), python code can list role assignments when using the same service principal

from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.authorization import AuthorizationManagementClient
tenant_id = 'tenant_guid'
application_id = 'application_guid'
application_secret = 'application_secret'
cred = ServicePrincipalCredentials(client_id=application_id, secret=application_secret, tenant=tenant_id)
client = AuthorizationManagementClient(cred, 'subscription_guid')
roles = client.role_assignments.list()
for role in roles:
    print(role)