Access error when attempting to elevate access in AAD via Azure REST API

0
votes

Per Microsoft's documentation here: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#rest-api

By making this POST request, you can elevate your privileges from AAD into Azure RBAC. This request, when successfull, will add the user to the "User Access Administrator" role.

I'm attempting to do this for an application with a service principal that is a Global Administrator in my tenant, however I'm getting an error:

Invoke-RestMethod : {"error":{"code":"AuthorizationFailed","message":"The client '1234567890' with object id
'1234567890' does not have authorization to perform action 'Microsoft.Authorization/elevateAccess/read' over scope
'/providers/Microsoft.Authorization' or the scope is invalid. If access was recently granted, please refresh your credentials."}}

My code is here:

    $TenantId = "12345"
    $ClientId = "1234567890" 
    $ClientSecret = "test12345" 
    $Resource = "https://management.core.windows.net/"
    $RequestAccessTokenUri = "https://login.microsoftonline.com/$TenantId/oauth2/token"  
    $body = "grant_type=client_credentials&client_id=$ClientId&client_secret=$ClientSecret&resource=$Resource"
    $Token = Invoke-RestMethod -Method Post -Uri $RequestAccessTokenUri -Body $body -ContentType 'application/x-www-form-urlencoded'
    $Token
    $Header = @{}
    $Header.Add("Authorization","$($Token.token_type) "+ " " + "$($Token.access_token)")
    Invoke-RestMethod -Headers $Header https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01 -verbose

If I the SP is a Global Administrator, why would I be getting a permissions error?

1
azurepowershellrestazure-active-directory

1 Answers

1
votes

It's not supported to use a service principal to elevate access for itself currently.

You need to use another Global Administrator account with elevated access at root scope to do this for a service principal.

In other words, we cannot use the Azure REST API Global Administrator - Elevate Access to accomplish this.

It's recommended to use Azure PowerShell.

A sample for your reference:

$tenantid = ""

$subscriptionid = ""

$servicePrincipalName = ""

Connect-AzAccount -Tenant $tenantid -Subscription $subscriptionid

Get-AzRoleAssignment | where {$_.RoleDefinitionName -eq "User Access Administrator" -and $_.Scope -eq "/"}

$servicePrincipal = Get-AzADServicePrincipal -DisplayName $servicePrincipalName

New-AzRoleAssignment -RoleDefinitionName "User Access Administrator" -ApplicationId $servicePrincipal.ApplicationId -Scope "/"