Grant access to AAD Graph API's for a Managed Identity

1
votes

I'm following the following article on accessing the AAD Graph API using a managed identity - https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-azure-ad-graph

With my global admin account I am executing something along the lines of the following in powershell:

$AppRole = $WindowsAADServicePrincipal.AppRoles | Where-Object {$_.Value -eq "Application.ReadWrite.All" -and $_.AllowedMemberTypes
-contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $identity.PrincipalId -PrincipalId $identity.PrincipalId  -ResourceId
$WindowsAADServicePrincipal.ObjectId -Id $AppRole.Id

The command reports the following Insufficient privileges exception - but the role seems to be still assigned to the service principal!!??

New-AzureAdServiceAppRoleAssignment : Error occurred while executing NewServicePrincipalAppRoleAssignment Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. RequestId: XXX DateTimeStamp: Mon, 17 Jun 2019 15:16:53 GMT HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed At line:5 char:5 + New-AzureAdServiceAppRoleAssignment -ObjectId $identity.Principal ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [New-AzureADServiceAppRoleAssignment], ApiException + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewServicePrincipalAppRoleAssignment

My question is Why? If I look at an http trace of the requests made by this command to the aad graph api I dont see much of interest.

If I execute the request manually to assign a role using the managed identity above to which I assigned the required permissions. I get a similar exception but no role is assigned, whats odd is that I have tried assigning a number of permissions to the identity executing this request - up to even Global Admin on the tenant but I still see this error.... 

$created_permissions = Invoke-RestMethod -Method post -Uri "https://graph.windows.net/tenantname.onmicrosoft.com/servicePrincipals/$($created_principal.objectid)/appRoleAssignments?api-version=1.6" -Body ($permission  | ConvertTo-Json -Depth 99 -Compress) -ContentType "application/json" -Headers @{ "Authorization" ="Bearer $access_token" }

I would like to avoid giving the identity Global Admin or similar role and would prefer if could give a granular permission i.e. Application.ReadWrite.OwnedBy

1
azure-active-directory

1 Answers

0
votes

I think you're running into a known issue.

I've run into similar one with slightly different context, i.e. MSI for Logic Apps. Please take a look at this SO Post for more details - Assigning Microsoft Graph permissions to Azure Managed Service Identity.

I used to get Authorization_RequestDenied error for the first run and Request_BadRequest for any retries, because even though the first run gave an error, the permission/role assignment does actually get added. Even though it's supposed to be intermittent, I got it pretty consistently. In the end I could just ignore the error, because desired permission still gets assigned to the managed identity.

Here is a related GitHub issue - Executing the New-AzureAdServiceAppRoleAssignment step returns a Forbidden error

It's a long thread, but look at comment by daveba from Microsoft.

enter image description here