Azure REST API: Pull all subscriptions for an organization?

1
votes

I'm attempting to use the Azure REST API to create an Azure application that, as the first step, pulls all the subscriptions within an organization.

I'm using this guide, referenced from these Microsoft docs. guide: https://blog.jongallant.com/2017/11/azure-rest-apis-postman/ docs: https://docs.microsoft.com/en-us/rest/api/azure/

I'm using the following Azure CLI command to create the service principal:

az ad sp create-for-rbac -n "<name>"

Currently, I can use the resulting service principal successfully in Postman to pull back 1 subscription when I hit:

GET https://management.azure.com/subscriptions?api-version=2016-06-01

However, this response gives only 1 subscription but in the Azure portal I see multiple subscriptions under the organization.

I've tried specifying scope like the following, but I can't seem to get it to work:

az ad sp create-for-rbac -n "<name>" --scope "/"
# OR
az ad sp create-for-rbac -n "<name>" --scope "/subscriptions"

Last bit of useful information, if I run the following in Powershell, I get back multiple subscriptions. This is a synonymous call that I want to find a way to run for the REST API:

Get-AzureRmSubscription

How can I create one service principal that has access to all of the subscriptions under the org? Or is there another way to do this?

2
azureazure-resource-manager

2 Answers

1
votes

How can I create one service principal that has access to all of the subscriptions under the org? Or is there another way to do this?

If this is your final goal, just create the service principal and then navigate to Access control (IAM) in your subscription in the portal -> Add -> Add role assignment -> assign a role to your service principal. For other subscriptions, do the same.

For more details and other ways to do that, you could refer to these links: via Azure portal, Powershell, Azure CLI, REST API, Template.

0
votes

To get all the subscriptions by one call, using a service principal is possible using Azure Management Groups.

Read about the Hierarchy of Azure Management groups

According to the above document, if we create a hierarchy and then add an SPN at the root Level, your ask would be achieved.

Create service principal -> Access control (IAM) in your management group -> Add -> Add role assignment -> assign a role to your service principal.

You can use this service principal to authorize the Azure rest api

POST https://login.microsoftonline.com/<YOUR-TENANT-ID>/oauth2/v2.0/token

grant_type:client_credentials
client_id:<Service-Principal-ClientId>
client_secret:-<Service-Principal-ClientSecret>
scope:https://management.azure.com/.default

and then use the List Subscription API

GET https://management.azure.com/subscriptions?api-version=2020-01-01
Authorization: Bearer <accessToken_from_Step2>

List subscription MS Documentation