Azure AD - Can a Service Principal assign itself RBAC role in an Azure Subscription?

0
votes

I have a Web API that is protected by Azure AD. I have created an app registration for the Web API that only allows users from that Azure AD to access the API (i.e. single tenant). This process also created a Service Principal in that tenant.

What I am wondering is if this Service Principal can self-assign itself RBAC role (any RBAC role for that matter) in an Azure Subscription that trusts this Azure AD? Or will this be a user-initiated action where a user with appropriate permission (like Owner or User Access Administrator) has to assign appropriate role to this Service Principal?

From whatever my understanding is, I believe it is latter (i.e. another user has to perform this operation). However it looks like it should be possible though.

The reason I say this is when I create a new Azure Subscription, I am automatically assigned an Owner role in that Azure Subscription (I am a Global Administrator in my Azure AD). I am wondering how that is accomplished.

If it is indeed possible, then what Azure AD role should be assigned to the Service Principal?

Any insights into this will be highly appreciated.

2
azureazure-active-directoryrbacazure-service-principal

2 Answers

2
votes

Of course it can, but the service principal also needs the Microsoft.Authorization/roleAssignments/write permission e.g. Owner or User Access Administrator to assign another RBAC role to itself.

If you mean the service principal has no RBAC role currently, then it can't, even if it is a Global admin in the tenant, it could not assign the RBAC role to itself directly.

Besides, the user account is different from a service principal, if a user is a global admin in the tenant, he can simply Elevate access to manage all Azure subscriptions and management groups for himself(this just works for the user, not service principal), then he will get the User Access Administrator role at the root scope, then he can assign any RBAC role to himself.

If your service principal is a global admin and wants to assign RBAC role to itself, you may need to assign the global admin role to another user account first, then elevate access to manage all Azure subscriptions, then use the user account to assign the RBAC role to the service principal.

1
votes

You are correct that a principal can only grant itself permissions when it already has rights to do so. It would follow that a brand new MSI principal would not be a member of any groups or assigned any RBAC roles and therefore could not grant itself additional rights.

In the case of an Azure Subscription, the principal which creates the subscription either has permission to do so in an existing tenant or is creating a new tenant and subscription, and rights are granted by the system to the user as the creator/owner.

A possible approach to automate granting rights to new MSIs would be to use an Azure Function, calling the Microsoft Graph to query for new MSIs matching a search criteria, then grant the MSI principal the required permissions. The Function would have to have an MSI assigned which would need permission to grant the required rights to the new MSI at the desired scope.