Grant Security Reader role to an Azure Service Principal in az cli

0
votes

I'm trying to allow a service principal in Azure to read from Azure Active Directory in order to perform lookups against AAD when using Terraform.

I'm pretty sure that the role required is the Security Reader role, however, I'm not sure what the context needs to be in order to add the service principal to the role. I'm assuming it is on the tenantId, but not sure the format that the az role assignment command then needs?

The code I'm currently using is as follows:-

sp=$(az ad sp list --query "[?displayName=='[my app]'].appId" --output tsv)
tenantId=$(az account show --query tenantId --output tsv)
az role assignment create --role "Secuity Reader" --assignee $sp --scope $tenantId

But this does not validate against the scope correctly, so it's clearly not just the tenant id. I know for subscription level scope it would be /subscriptions/[subscription id]... etc, but I don't know what the format would be for tenancy level permissions?

1
azureazure-active-directoryazure-cliterraform-provider-azureservice-principal
docs.microsoft.com/en-us/cli/azure/role/…Daniel Björk

1 Answers

1
votes

The az role assignment command is a subscription based command, using this you can only add assignments to specific subscriptions so called RBAC (Resource Based Access Control) assignments.

What you are searching for is adding the role to the Azure AD.

To show you to add a this is how you add an AAD Role to a user with PowerShell: https://docs.microsoft.com/en-us/powershell/module/azuread/add-azureaddirectoryrolemember?view=azureadps-2.0

Add-AzureADDirectoryRoleMember
   -ObjectId <String>
   -RefObjectId <String>
   [-InformationAction <ActionPreference>]
   [-InformationVariable <String>]
   [<CommonParameters>]

This is how to add an RBAC role with PowerShell: https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azroleassignment?view=azps-4.4.0

New-AzRoleAssignment
   -ObjectId <String>
   [-Scope <String>]
   -RoleDefinitionName <String>
   [-AllowDelegation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

It is two totally different things using two different modules. I don't know if there is an addon to CLI to support the AzureAD module.