possibility of adding service principal owners with the cli

[mariojacobo]

"az ad sp owner add" would be nice to have. we currently add owners as a manual step after the environment build completes. Is there something similar in the CLI package ?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 7d8cb7a6-aa15-0ac3-6197-5dc2164cdbb9
• Version Independent ID: 25fda962-c29f-9474-1b12-048d2271a5bc
• Content: az ad sp owner
• Content Source: src/command_modules/azure-cli-role/azure/cli/command_modules/role/_help.py
• Service: active-directory
• GitHub Login: @rloutlaw
• Microsoft Alias: routlaw

[jurjenoskam]

It seems this should have been part of microsoftgraph/microsoft-graph-docs#7578, which says it "Graph: support add/remove/list owners on app, sp, and group". The PR did this for app and group, but appears to have forgotten to include code for sp. Looking at the commits in that PR it only removes a comment under "ad sp owner": "# TODO: Add support for 'add' and 'remove'", but doesn't add code to actually add and remove owners from service principals.

[yugangw-msft]

Okay, i will follow up to onboard the support since we have the ask now.

[jonaspetersorensen]

Any progress on this?

[yugangw-msft]

The related API is missing in the spec. Before it gets fixed, you can use az rest. A bit more detail is needed from this command; otherwise it is just like other ones:

az rest --method post --uri https://graph.windows.net/<tenantId>/servicePrincipals/<object id of the service principal>/$links/owners?api-version=1.6 --body "{\"url\":\"https://graph.windows.net/<tenantId>/directoryObjects/<owner's object id>\"}"

[miicahjardine]

Yugangw-msft, I don't suppose you know the az rest command to remove a owner??

[kautsig]

I ran into the same issue of having to add an additional owner to an existing SP.

Unfortunately the API responds with "bad request": Unsupported resource type 'DirectoryObject' for operation 'Create'.

My first suspicion was a permission problem, but I would expect a proper response then. Any ideas?

[pgroene]

@yugangw-msft

The related API is missing in the spec. Before it gets fixed, you can use az rest. A bit more detail is needed from this command; otherwise it is just like other ones:

az rest --method post --uri https://graph.windows.net/<tenantId>/servicePrincipals/<object id of the service principal>/$links/owners?api-version=1.6 --body "{\"url\":\"https://graph.windows.net/<tenantId>/directoryObjects/<owner's object id>\"}"

I tried this, but the owners are not added if the call succeeds.

When is the release for the cli ad sp scheduled to be released?

[dekimsey]

Yugangw-msft, I don't suppose you know the az rest command to remove a owner??

@miicahjardine, I've found the following works to delete owners:

az rest --method=delete --uri=https://graph.windows.net/<tenantId>/servicePrincipals/<object id of the service principal>/$links/owners/<owner object id>?api-version=1.6

[yonzhan]

Can we close this issue?

[trvsmtchll]

Is this fixed I tried using "az rest ..." and also got the "Unsupported resource type 'DirectoryObject' for operation 'Create'." error.

[drdamour]

for whatever reason i'm getting the Unsupported resource type in powershell...but in cmd.exe it works fine.

pwsh equiv:

az rest --method post --uri https://graph.windows.net/<tenant>/servicePrincipals/<sp id>/$links/owners?api-version=1.6 --body "{\`"url\`":\`"https://graph.windows.net/<tenant>/directoryObjects/<user object id>\`"}"

i think it has something to do with escaping in pwsh, didn't sniff the traffic yet

[drdamour]

well crap it' sthe $link which resolves in powershell to nothing...so escape it and it'll work

az rest --method post --uri https://graph.windows.net/<tenant>/servicePrincipals/<sp id>/`$links/owners?api-version=1.6 --body "{\`"url\`":\`"https://graph.windows.net/<tenant>/directoryObjects/<user object id>\`"}"

or

az rest --method post --uri https://graph.windows.net/<tenant>/servicePrincipals/<sp id>/`$links/owners?api-version=1.6 --body '{\"url\":\"https://graph.windows.net/<tenant>/directoryObjects/<user object id>\"}'

[jiasli]

@trvsmtchll, could you share the command with sensitive information removed? Also what is the environment?

[naymore]

I cannot reset something where I am not an owner of. So I really need the possibility to add owners to SPN.

Please fix the incomplete CLI.

[trvsmtchll]

Looking for any updates on how to add a service principal completely with CLI without going to the GUI/Portal at all please.

[dekimsey]

I cannot reset something where I am not an owner of.

Made worse by the fact that owners must be User objects, so I cannot even set my team's security group here. I have to enumerate and add every individual member.

[jiasli]

As AAD is deprecating AD Graph API, for now you may use az rest to call MS Graph API.

Add owners to an application

MS Graph API: application: Add owner

# bash
appId=93dde3da-9fca-47dd-aee2-409b402ffed3
appObjectId=$(az ad app show --id $appId --query objectId -o tsv)

# Get the object Id for the current user
ownerObjectId=$(az ad signed-in-user show --query objectId -o tsv)

# This applies to both user and service principal as owners
az rest -m POST -u https://graph.microsoft.com/beta/applications/$appObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/directoryObjects/$ownerObjectId\"}"

# To add a user as an owner
az rest -m POST -u https://graph.microsoft.com/beta/applications/$appObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/users/$ownerObjectId\"}"

# To add a service principal as an owner
az rest -m POST -u https://graph.microsoft.com/beta/applications/$appObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/servicePrincipals/$ownerObjectId\"}"

Also see https://github.com/microsoftgraph/microsoft-graph-docs-contrib/issues/8095, https://blogs.aaddevsup.xyz/2018/11/how-to-add-an-owner-to-an-azure-ad-application/

Add owners to a service principal

MS Graph API: servicePrincipal: Add owner

Note that the doc for request body is not accurate at the moment (https://github.com/microsoftgraph/microsoft-graph-docs-contrib/issues/7380).

# bash
appId=93dde3da-9fca-47dd-aee2-409b402ffed3
spObjectId=$(az ad sp show --id $appId --query objectId --output tsv)

# Get the object Id for the current user
ownerObjectId=$(az ad signed-in-user show --query objectId -o tsv)

# This applies to both user and service principal as owners
az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/$spObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/directoryObjects/$ownerObjectId\"}"

# To add a user as an owner
az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/$spObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/users/$ownerObjectId\"}"

# To add a service principal as an owner
az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/$spObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/servicePrincipals/$ownerObjectId\"}"

[jiasli]

@dekimsey, MS Graph currently doesn't support group as owner.

$ az rest -m POST -u https://graph.microsoft.com/beta/applications/$appObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/directoryObjects/5a197067-7d4e-4862-a692-cb5933646da1\"}"
Bad Request({
  "error": {
    "code": "Request_BadRequest",
    "message": "The reference target 'Group_5a197067-7d4e-4862-a692-cb5933646da1' of type 'Group' is invalid for the 'owners' reference.",
    "innerError": {
      "request-id": "daf41148-02ab-426a-9dc0-fe07060fe87f",
      "date": "2020-03-25T03:21:30"
    }
  }

I will mark this as service attention. You may vote on these feedback pages:

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/37337278-add-group-as-owner-on-azure-ad-application-and-ser https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/6688284-ad-groups-in-application-owners https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/39240190-app-registration-owners-should-allow-for-groups

[drdamour]

@yonzhan why did this get closed? regardless of the adding groups, it still be good to add users without having to use az rest

[yonzhan]

@drdamour Is it a requirement for CLI or AAD team?

[drdamour]

cli

[yonzhan]

I will discuss with @jiasli about this and keep this issue reopen.

[jiasli]

This will be implemented after we migrate to MS Graph. Moving to backlog as a feature request. We will track MS Graph issues at https://github.com/Azure/azure-cli/issues/12946

[drdamour]

seems like the graph.windows.net solution no longer functions at all, and the MS Graph suggestion requires a TON of permissions that no sane admin would grant...

[drdamour]

i stand corrected, the application one is pretty sane ReadWrite.OwnedBy i thought it required write.all

[jiasli]

Hi @drdamour, thanks for the supplemental information. Yes, for both application: Add owner and servicePrincipal: Add owner APIs, all you need is Application.ReadWrite.OwnedBy and Directory.Read.All, as given by the document itself:

Permission type	Permissions (from least to most privileged)
Delegated (work or school account)	Application.ReadWrite.All and Directory.Read.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account)	Not supported.
Application	Application.ReadWrite.OwnedBy and Directory.Read.All, Application.ReadWrite.All and Directory.Read.All

[swisman]

More than one year has passed, any news on this? Would be great if this will be implemented in my opinion.

[23min]

Trying to follow the official docs for adding an owner to a service principal (pscore)

az rest `
   --method POST --uri https://graph.microsoft.com/v1.0/servicePrincipals/$($objectId)/owners/\$ref `
   --headers Content-Type=application/json `
   --body '{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/$($userId)\"}'

responds with

ERROR: Bad Request({"error":{"code":"Request_BadRequest","message":"Unsupported resource type 'DirectoryObject' for operation 'Create'.","innerError":{"date":"2021-09-20 .... SNIP

[drdamour]

@23min i've always use User which inherits directoryObjects, agree docs are strange, fwiw u linked the beta docs...but even the 1.0 docs example shows using beta for the post target...so weird

az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/<sp object id>/owners/`$ref --headers Content-Type=application/json -b '{\"@odata.id\": \"https://graph.microsoft.com/beta/users/<user id>\"}'

[jiasli]

Hi folks, as for the behavior of Microsoft Graph API, you may reach out to AAD support by creating a support ticket. A support engineer will gladly help you with it.

[saldroubi]

I also would like for this to be implemented in az cli as well. Why is this issue closed? One should not have to use the rest API with az. Please reopen! Also, using MS Graph is not an option because would give permission to use it in our environment. Also, why are all these MS tools require different authentications, PowerShell Az module, Power Shell MS Graph, and Az CLI, ...etc.

[jiasli]

I will reopen this issue and mark it as feature request.

Also, using MS Graph is not an option because would give permission to use it in our environment.

As AD Graph has been deprecated, using Microsoft Graph is the only option.

Also, why are all these MS tools require different authentications, PowerShell Az module, Power Shell MS Graph, and Az CLI, ...etc.

Thanks for the feedback. Personally, I also like the idea to share login context between Azure tools (tracked by https://github.com/Azure/azure-cli/issues/16460).

[saldroubi]

Is this in the works? It has been requested a long time ago.

[Mykp3]

This is such a ... limitation, why SP cannot be owner of other application regardless of initial creator responding with bad request? This role currently is rather useless... Application.ReadWrite.OwnedBy

[saldroubi]

I really wish this gets implemented soon. It has been so loooooooong.

[Mykp3]

@yugangw-msft when shall we expect advancement in Application.ReadWrite.OwnedBy API Permission, in particular,

Ability to assign AD application as an owner to existing AD application, e.g. not necessarily actually created by that application?

[notaturkey]

bump, wish i could do this

[Mykp3]

@saldroubi @notaturkey It is possible to make application registration to be owner of other application registration.

Requirements:

• Powershell (in Az Portal cloud will do)
• Understanding Enterprise Application concept
• Application.ReadWrite.OwnedBy API permission granted for the application which will be owner of other app

From the main page of application registration of the future owner navigate to the link under "Managed application in local directory" description - it will redirect you to enterprise application page, copy object ID From the main page of application registration of application ,that you want to owned by any other app, copy object id and paste below

Perform next cmdlet Add-AzureADApplicationOwner -ObjectId $app.ObjectId -RefObjectId $spn.owner.ObjectId

It should allow you to manage app under another app. If not enough you may also grab of enterprise application of desired owned application and perform slightly different ( SPN level assignment)

Add-AzureADServicePrincipalOwner -ObjectId $spn.ObjectId -RefObjectId $spn.owner.ObjectId

So we always interested to grant enterprise app (SPN) of future owner, with target SPN and/or regular application registration object ID that we want to own.

[drdamour]

Yes you certainly can use powershell to add sp’s as owners, but this ticket is about az cli not ps module

[kevinpauli]

What the heck, four years later and it's not in there yet?

[ncook-hxgn]

bumpy bump bump

[Annesars90]

BUMPPPP

[rcomanne]

Would be very nice to be able to manage owners of a service principle by the Azure CLI... Any progress update? Or are we just supposed to use the Graph API directly and this will not be implemented?

[uracharla1]

Hi there, am currently trying to assign SPN owner to enterprise application using microsoft graph but not seems to working. From the portal is only allowing to add user only. Is there any solution to fix it?

[sodds-eq]

bump

[dalekseevs]

bump

[jordan-lee-accessgroup]

bump

[hoivikaj]

While this is still missing from AZ CLI native as of today, wanted to drop in the command that currently works for me via AZ REST. Not sure if BETA endpoint is still required but its what I am currently using.

Azure Service Principal to be owned by Azure Service Principal:

az rest --method POST --uri https://graph.microsoft.com/beta/servicePrincipals/{TARGET SP OBJECT ID}/owners/\$ref --body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{OWNER SP OBJECT ID}"}'

I was previously having trouble as I missed the escape of $ for $ref.

[chadcarlton]

Please implement this... pretty unbelievable that 4 years later this is not in place.

[DariuszPorowski]

+1