Azure Service Principal creation - using Azure function

0
votes

I am trying to write a Python Azure Function to create service principal with custom role. I have the JSON template to pass role definitions and create a custom role. The idea for the function is to using REST API equivalent to 'az ad sp create-for-rbac' cli command and generate client_id, client_secret and tenant_id. Please let me know if you have tried this and any help here is much appreciated, thank you!

import logging
  
import azure.functions as func


def main(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')

    name = req.params.get('name')
    if not name:
        try:
            req_body = req.get_json()
        except ValueError:
            pass
        else:
            name = req_body.get('name')

    if name:
        return func.HttpResponse(f"Hello, {name}. This HTTP triggered function executed successfully.")
    else:
        return func.HttpResponse(
             "This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response.",
             status_code=200
        )
1
pythonazureazure-functionsazure-service-principal
what is the actual problem here?Ruli
trying to write an azure function that can inherit credentials to invoke azure-cli to create service principal with custom role. So just weighing my options and trying to see if its possible or if there are any roadblocks to implement thisKGosalia

1 Answers

0
votes

You have two options:

  1. Make use of the Microsoft Graph API to create and manage your app users. Unfortunately there isn't currently an SDK for Python, so you will need to set this up via API calls yourself.
  2. Easier but not recommended. Use the GraphRbacManagementClient class in the Azure SDK for Python. There are methods specifically for doing this in the library (and it is what the CLI currently uses). However, we are no longer developing the Azure Graph APIs, recommending migration to the Microsoft Graph API instead.