In particular the reference articles mention of the relationship between tenant, application and service principle. The Azure portal Active Directory Applications Blade doesn't make the service principle relationship obvious to the CLI user.
An application object therefore has a 1:1 relationship with the software application, and a 1:many relationship with its corresponding service principal object(s).
Here is some sample CLI code that I was using (based on an old Azure RM powershell script) and trying to upgrade to use the Azure CLI working and discovered a bug in the CLI behaviour https://github.com/Azure/azure-cli/issues/14727.
# Change the following variables as needed
$appName = "Icecream App"
$appOwnerObjectId = "00000000-0000-0000-0000-000000000000" # az ad user list (find your name).
$appHomePage = "https://icecreamery.good"
$appIdentUri = "https://icecreamery.flavour"
az login
Write-Output "Creating AAD application..."
$azureAdAppId = az ad app create --display-name $appName --homepage $appHomePage --identifier-uris $appIdentUri --credential-description "OctopusDeploy" --query 'appId' -o tsv
az ad app owner add --id $azureAdAppId --owner-object-id $appOwnerObjectId
$azureServicePrinciple = az ad sp create --id $azureAdAppId | ConvertFrom-Json
# THIS IS THE PROBLEM LINE that triggers the error. (Feels like AppRoles is more complex that my guess)
az ad sp update --id $azureServicePrinciple.appId --set appRoles=contributor
# And this is the scope for the contributor role, which I figure is the next thing to set after this.
#az ad sp update --id $azureServicePrinciple.appId --set scopes="/subscriptions/$subscriptionId/resourceGroups/$appResourceGroup"
There are some counter intuitive values for configuring service principles that make it difficult to understand the service principle relationship to applications and resource security roles. I've attempted to create service principles with the "az ad sp create-for-rbac" option in the following code sample, and associate it with an application, unsuccessfully. The Service Principle is created, but I couldn't determine how to associate it with the application.
Write-Output "Creating Resource Group for the application..."
$rg = az group create -l $azureRegion -n $appResourceGroup | ConvertFrom-Json
$ServicePrincipleName = "https://Icreamery-Acai-ServicePrinciple" # Must be in URI format. Why? The Azure portal UI for Applications use the label "Managed application in local directory" with a hyperlink)
Write-Output "Creating AAD service principal with security (but this doesn't associate it with app.)..."
az ad sp create-for-rbac --name $ServicePrincipleName --role contributor --scopes /subscriptions/$subscriptionId/resourceGroups/$appResourceGroup -o json
Creating an application manually only takes a small amount of time via the Azure portal AD UI, but the time and effort to automate that process seems disproportionately high with the current CLI documentation and API options.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
ID: e99d25ff-03e2-e015-37f4-a29b59ec50d4
Version Independent ID: 1a8e88ed-72c7-fbe7-b0ad-68f23b3946cd
yonzhan
commented
4 years ago
[Enter feedback here] The process for creating applications and then creating the associated service principles with the CLI is not clear. It would be good to reference https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals#relationship-between-application-objects-and-service-principals for the users to understand the background relationship.
In particular the reference articles mention of the relationship between tenant, application and service principle. The Azure portal Active Directory Applications Blade doesn't make the service principle relationship obvious to the CLI user.
Here is some sample CLI code that I was using (based on an old Azure RM powershell script) and trying to upgrade to use the Azure CLI working and discovered a bug in the CLI behaviour https://github.com/Azure/azure-cli/issues/14727.
There are some counter intuitive values for configuring service principles that make it difficult to understand the service principle relationship to applications and resource security roles. I've attempted to create service principles with the "az ad sp create-for-rbac" option in the following code sample, and associate it with an application, unsuccessfully. The Service Principle is created, but I couldn't determine how to associate it with the application.
Creating an application manually only takes a small amount of time via the Azure portal AD UI, but the time and effort to automate that process seems disproportionately high with the current CLI documentation and API options.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.