What permissions are needed in Azure to grant access to a managed identity for calling a custom api

0
votes

I want to assign role Things.Reead.All, created in my app registration to a managed identity. The app registration SP object id is 8055e1eb-0000-0000-9b77-00000000000 The Role definition looks like this

"appRoles": [
        {
            "allowedMemberTypes": [
                "Application"
            ],
            "description": "Allow the application to read all things as itself.",
            "displayName": "Read all things",
            "id": "86a914fa-a862-4962-9975-000000000000",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "Things.Read.All"
        }

The only thing known about a system assigned managed identity is its object id, say

aad300-0872-0000-811d-00000000000

and I want to allow it to call the application 8055e1eb-0000-0000-9b77-00000000000 that expects to see the Role in access token. I know I have to use the following api to do this.

https://graph.microsoft.com/v1.0/servicePrincipals/8055e1eb-0000-0000-9b77-00000000000/appRoleAssignedTo
{
  "principalId": "aad300-0872-0000-811d-00000000000",
  "resourceId": "8055e1eb-0000-0000-9b77-00000000000",
  "appRoleId": "86a914fa-a862-4962-9975-000000000000"
}

I have wide but controlled access in my tenant. When I acquire a token from

az account get-access-token --resource https://graph.microsoft.com

and call the above, I get

    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",

What I need to figure out is the exact privilege that is needed to make this call.

1
azureazure-active-directoryazure-managed-identity

1 Answers

1
votes

As you did not answer my comment, I can just give you my own solution which used the service principal to login the azure cli, it works for me.

Please follow the steps below.

1.Create a new App Registration in azure ad, then get values for signing in and create a new application secret.

2.Navigate to the API permissions of the App, add the Application permission(not Delegated permission) Directory.ReadWrite.All of Microsoft Graph, don't forget to click the Grant admin consent for xxx button at last.

Note: From the doc, the AppRoleAssignment.ReadWrite.All permission is enough, but per my test, it will not work, not sure if it is a bug, I have decoded the token, the token has the AppRoleAssignment.ReadWrite.All permission.

enter image description here

enter image description here

3.In azure cli, run the commands below to get the token.

az account clear
az login --service-principal --allow-no-subscriptions --username '<application-id>' --password '<application secret>' --tenant '<tenant-id>'
az account get-access-token --resource https://graph.microsoft.com

4.I test the token to call the api - Grant an appRoleAssignment for a service principal to grant the app role for the system-assigned identity of my funtion app,it works fine.

enter image description here

Check it in the portal:

enter image description here