search

Azure-Samples / aad-dotnet-manage-users-groups-and-roles

Getting started on managing users and groups using C#
https://docs.microsoft.com/en-us/dotnet/azure
MIT License
16 stars 6 forks source link

No details on SP permissions to enable AAD management #2

Open TheAzureGuy opened 6 years ago

TheAzureGuy commented 6 years ago

This is a great sample covering the key scenarios. However, there is no explanation as to what specific permissions a service principal needs to be granted in AAD to be able to add users, modify role assignment. All attempts to get this sample to work with a custom SP were hopeless. I'm getting a cryptic CloudException back without any details whatsoever. Would appreciate your advise.

Selected subscription: xxxxx Creating an Active Directory user Test 76e11025a212d11af... Microsoft.Rest.Azure.CloudException: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown. at Microsoft.Azure.Management.Graph.RBAC.Fluent.DomainsOperations.<ListWithHttpMessagesAsync>d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.Management.Graph.RBAC.Fluent.DomainsOperationsExtensions.<ListAsync>d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.Management.Graph.RBAC.Fluent.ActiveDirectoryUserImpl.<CreateResourceAsync>d__23.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.Management.ResourceManager.Fluent.Core.ResourceActions.Creatable4.<Microsoft-Azure-Management-ResourceManager-Fluent-Core-ResourceActions-IResourceCreator-CreateResourceAsync>d15.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.Management.ResourceManager.Fluent.Core.DAG.CreatorTaskItem`1.d6.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.Management.ResourceManager.Fluent.Core.DAG.TaskGroupBase1.<ExecuteNodeTaskAsync>d__14.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.Management.ResourceManager.Fluent.Core.Extensions.Synchronize[TResult](Func1 function) at ManageUsersGroupsAndRoles.Program.RunSample(IAuthenticated authenticated) at ManageUsersGroupsAndRoles.Program.Main(String[] args)`

mersadk commented 5 years ago

I agree, it would save a lot of time if this information was available.

I was able to create user by giving following permission to my application. Azure Active Directory Graph -> Application permissions -> Directory.ReadWrite.All