Closed josefehse closed 7 months ago
Hi @josefehse , AzureAD object has 2 ids. For instance, Ad app has one id called applicationId and another one called objectid. Both are GUID. Add-AzADPermission
needs application id. If you cannot tell which id type it is, the easy way is to visit its properties on portal to get it. The snapshot you provided is different from your log. If you still have problem, please share the result of Get-AzAdApplication
and Add-AzADPermission
both
Hi @josefehse , AzureAD object has 2 ids. For instance, Ad app has one id called applicationId and another one called objectid. Both are GUID.
Add-AzADPermission
needs application id. If you cannot tell which id type it is, the easy way is to visit its properties on portal to get it. The snapshot you provided is different from your log. If you still have problem, please share the result ofGet-AzAdApplication
andAdd-AzADPermission
both
Hi @dingmeng-xue , I am aware of Object Id and App Id. The problem is as follows: My application is an Azure Function, with Managed Identity. I can get its IDs with Get-AzADServicePrincipal only:
Get-AzADApplication can't find it: The complete list only shows applications configured in Azure AD as EnterpriseApplications, not Managed Identities:
Therefore, Add-azaddapppermision won't work, since it is using get-azadapplication, as per the previous screenshot. Thank you.
@josefehse , current API permission setting is only on Ad App. It likes what user can do on Portal.
@Francisco-Gamino , could you help to look into this question? How can user grant API permission of MSGraph to Functions app?
@josefehse , current API permission setting is only on Ad App. It likes what user can do on Portal.
@Francisco-Gamino , could you help to look into this question? How can user grant API permission of MSGraph to Functions app? Thank you @dingmeng-xue. Understood. However, it can be done today with the previous modules (AzureAD) and that is exactly the need at the moment. You can see the code I use today in this repo: https://github.com/Azure/GuardrailsSolutionAccelerator/blob/main/setup/setup.ps1 (line 234 and on). Looking forward to know when this will be available.
Hello @josefehse -- What AD module you are using? And where are you installing it from?
Hello @Francisco-Gamino, you can see the code in the link I've sent. I just import it as per below. The code is normally run from the Cloud Shell.
Adding @maertendMSFT from the CloudShell team.
Hello @josefehse -- I had a sync with @maertendMSFT offline and it looks like the AzureAD.Standard.Preview
module is not officially supported. The recommendation is to use the AzureAD module instead.
Hello @Francisco-Gamino, we seem to have a disconnection. This is the module I use today and it works. I am only using the preview because of an issue with the cloud shell. What I need to work is the new AzAd commands, which don't, as per all the previous communications. You asked me which one AzureAD module I am using and that's what I've sent. What I am trying to use is, which I've just installed using the regular repository. And here's the code (again) that fails:
I hope that is makes it clear.
Thank you @josefehse for the clarification.
Hi @dingmeng-xue -- This blog talks about how to Grant Graph API Permission to Managed Identity Object using the Azure AD cmdlets. Could you please advice what are the equivalent AzAD
cmdlets in Az.Resources
to enable this scenario?
/cc @AnatoliB @stefanushinardi @michaelpeng36
AzureAD cmdlet leverages API POST /servicePrincipals/{}/appRoleAssignments?api-version=1.6
. MSGraph corresponding API should be POST /servicePrincipals/{servicePrincipal-id}/appRoleAssignments
It requires new cmdlet to support it. @josefehse , you also can use Invoke-AzRestMethod
to send request to MSGraph directly.
You can now assign approleassignments to MI resources using New-AzAdServiceprincipalAppRoleAssignment
.
Description
Trying to assing microsoft graph permissions to a managed identify azure function. The old method (AzureAD) works fine. With the new module, here's the issue: I can get application ID and object ID of the MI using Get-azadServicePrincipal. When trying to use Add-AzADPermission it fails: You can see the module uses get-azadapplication: However, get-azadapplication won't find service principals for Managed Identities, only Enterprise Applications. Am I missing something or is it a gap?
Thank you.
Issue script & Debug output
Environment data
Module versions
Error output