Giving an Azure Managed Identity Directory.Read.All

0
votes

I want to give an Azure Managed Identity access to the Graph with Directory.Read.All. I was able to get it to work by following this blog: https://blog.bredvid.no/accessing-apis-using-azure-managed-service-identity-ff7802b887d?gi=f2307752395a, however:

  • that throws an Authorization_RequestDenied error (though apparently expected: MSI Permissions for Graph API)

  • I would prefer to get this working under az-cli

I tried...

graphId=$(az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].objectId")
roleId=$(az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].appRoles[?value=='Directory.Read.All' && contains(allowedMemberTypes, 'Application')] | [0].id")
az role assignment create --role $roleId --assignee-object-id fa22d971-c442-41f2-add1-77e636f80d31 --scope $graphId --assignee-principal-type MSI

But this results in... "The request did not have a subscription or a valid tenant level resource provider."

I am thinking this means I don't have the scope right. Is it possible to do this assignment under az-cli?

1
azureazure-active-directory
I'm not sure if you can do it with AZ CLI. az role assignment manages RBAC assignments for Azure Management, not Graph API. You can check my article to see how to do it with Azure AD PowerShell: joonasw.net/view/…juunas

1 Answers

0
votes

It is not possible to assign a service principal(MSI) to an application role currently, all commands here.

The az role assignment create is to add the user/service principal/group to the azure resource as an RBAC role, not that you want, it equals the steps in this link.

Besides, if you want to use the azure CLI instead of powershell because of the cross-platform issue. You could try the powershell core, it is cross-platform, refer to this link to install AzureAD.Standard.Preview module in it, then you will be able to use the AzureAD commands.