search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.01k stars 2.98k forks source link

Permissions needed for Service Principal to Update Reply Urls / Redirect Uris #15103

Open jaslloyd opened 4 years ago

jaslloyd commented 4 years ago

Hello,

I was wondering if somebody could help, I have a service principal/app registration e.g: 12345, I am logging into the cli via:

az login --service-principal --username 12345 --password ${PASS} --tenant ${TENANT_ID}

I am able to to get the current reply URLs via this command: az ad app show --id 12345 --query replyUrls

However when I try to update the replyUrls using the az rest command via this command: az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/applications/$OBJECT_ID" --headers 'Content-Type=application/json' --body "{\"spa\":{\"redirectUris\": "$NEW_REDIRECT_URIS"}}" --debug

I get the following:

0:10:18 DOCKER: Response content:
10:10:18 DOCKER: {
10:10:18 DOCKER:   "error": {
10:10:18 DOCKER:     "code": "Authorization_RequestDenied",
10:10:18 DOCKER:     "message": "Insufficient privileges to complete the operation.",
10:10:18 DOCKER:     "innerError": {
10:10:18 DOCKER:       "date": "2020-09-09T09:10:18",
10:10:18 DOCKER:       "request-id": "7f409de5-dad1-41b5-af84-3023291c32ae"
10:10:18 DOCKER:     }
10:10:18 DOCKER:   }
10:10:18 DOCKER: }
10:10:18 DOCKER: cli.azure.cli.core.util : Forbidden({
10:10:18 DOCKER:   "error": {
10:10:18 DOCKER:     "code": "Authorization_RequestDenied",
10:10:18 DOCKER:     "message": "Insufficient privileges to complete the operation.",
10:10:18 DOCKER:     "innerError": {
10:10:18 DOCKER:       "date": "2020-09-09T09:10:18",
10:10:18 DOCKER:       "request-id": "7f409de5-dad1-41b5-af84-3023291c32ae"
10:10:18 DOCKER:     }
10:10:18 DOCKER:   }
10:10:18 DOCKER: })
10:10:18 DOCKER: Forbidden({
10:10:18 DOCKER:   "error": {
10:10:18 DOCKER:     "code": "Authorization_RequestDenied",
10:10:18 DOCKER:     "message": "Insufficient privileges to complete the operation.",
10:10:18 DOCKER:     "innerError": {
10:10:18 DOCKER:       "date": "2020-09-09T09:10:18",
10:10:18 DOCKER:       "request-id": "7f409de5-dad1-41b5-af84-3023291c32ae"
10:10:18 DOCKER:     }
10:10:18 DOCKER:   }
10:10:18 DOCKER: })

My app registration has API permissions for Microsoft Graph -> Application.ReadWrite.OwnedBy, which I thought would be the only permission required...but it seems like it's not. What else do I need to add to allow a service principal to update an app service (itself)?

Thanks and sorry if this question is off-topic, It has been super difficult to find an answer to this.

yonzhan commented 4 years ago

add to S176

asos-anton-hryschanka commented 3 years ago

@jaslloyd hi.

I had the same problem. And have a solution for that.

My scenario:

My permissions before fix: Azure Active Directory Graph -> Application.ReadWrite.OwnedBy Azure Active Directory Graph -> Directory.Read.All

My permissions after fix: Azure Active Directory Graph -> Application.ReadWrite.OwnedBy Azure Active Directory Graph -> Directory.Read.All Microsoft Graph -> Application.ReadWrite.OwnedBy Microsoft Graph -> Directory.Read.All

jiasli commented 3 years ago

https://graph.microsoft.com/ is Microsoft Graph API, so you will need Microsoft Graph for the Update application API invocation:

image

image

However, as the name suggests, Application.ReadWrite.OwnedBy is only used to update applications which are owned by the managing application. To update itself, the managing application should have Application.ReadWrite.All perimssion.