Application registered in AAD is denied Azure Storage Account access

0
votes

Background: I am following https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-store-custom-rest-api to import custom logs into a Azure Storage account. This fails due permissions on the resource id: The Azure AD object '' does not have permissions to perform action 'Microsoft.Insights/Metrics/write' over scope '.

I tracked the issue down to the fact that the Storage Account Access Control (IAM) does not list the application to allow to write to it. (Note that I created a customer .NET application).

I went back to the How to: "Add role assignments" in https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

Still if I follow this procedure, the new created application does not show in the Azure role assignments. (not service principal, no app.) I am subscription owner as well global admin on the AAD.

Question: What is the correct procedure to allow a App Registration as in the above to write to a new created storage account?

2
azureazure-storagemonitoringmetrics

2 Answers

1
votes

OK, the issue was two fold: 1. Documentation in https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal when trying to add an Service Principal is: you need to search for the application name, no ID. The ID will not be found, only the name. And: Actually this is not immediate. Start type the first letters of your service principal, then wait until the auto-completion starts. You then see you service principal. This leads to the second point: 2. Patience and understanding of Application and Service Principal relation.

Suggest as reading: https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals

Once it was presented I could assign the "Monitoring Metric Publisher" role. Azure Storage RBAC Details

0
votes

You have a couple options. As of today, the recommended approach is to use Shared Access Signatures. A shared access signature (SAS) provides you with a way to grant limited access to objects in your storage account to other clients, without exposing your account key.

The other option is to use Azure AD but that is still in preview and not recommended for production. The first step in using Azure AD integration with Azure Storage is to assign RBAC roles for storage data to your service principal (a user, group, or application service principal) or managed identities for Azure resources. RBAC roles encompass common sets of permissions for containers and queues. To learn more about assigning RBAC roles for Azure Storage, see Manage access rights to storage data with RBAC (Preview).

To use Azure AD to authorize access to storage resources in your applications, you need to request an OAuth 2.0 access token from your code. To learn how to request an access token and use it to authorize requests to Azure Storage, see Authenticate with Azure AD from an Azure Storage application (Preview). If you are using a managed identity, see Authenticate access to blobs and queues with Azure managed identities for Azure Resources (Preview).

Azure CLI and PowerShell now support logging in with an Azure AD identity. After you log in with an Azure AD identity, your session runs under that identity. To learn more, see Use an Azure AD identity to access Azure Storage with CLI or PowerShell (Preview).