0
votes

We have an application that has a service principal configured in order to grant access to azure resources. This service principal has a password configured with an expiration.

We want to configure our application to be aware of his service principal credential password expiration date. Which is the best way to grant access to a service principal to his own expiration date?

By default this is not allowed.

az ad app show --id xxxxxxxxxx

Insufficient privileges to complete the operation.

But can enable some API permissions (legacy Azure Active Directory Graph /Directory.Read.All) and it works but this seems too open.

Is there any way to to grant access to only see only data from his own application id? Which is the best way to do this?

1

1 Answers

1
votes

AFAIK, seems you could not do that. At least you need to grant the Application.ReadWrite.All permission. The command az ad app show --id xxxxxx essentially calls the azure ad graph api, you could check with --debug.

enter image description here

To call this api, from least to most privileged, it needs Application.ReadWrite.OwnedBy, Application.ReadWrite.All, Directory.Read.All. In your case, Application.ReadWrite.OwnedBy is not an option.

Besides, I also have tested az ad signed-in-user show, if you login with an AD App, it looks not to support to use this command.