Closed ezYakaEagle442 closed 11 months ago
@ezYakaEagle442 Thanks for bringing this to our attention. I'm going to assign this to the document author @KarlErickson so they can take a look at it accordingly.
I need an update please @KarlErickson @seanli1988
passing on to engineering owner in ASA team
@ezYakaEagle442 Please use --web-redirect-uris
instead of --reply-urls
when your CLI version greater than 2.37.0
. We will update documentation accordingly.
My GH Workflow fails with :
ERROR: Insufficient privileges to complete the operation.
Regarding this doc : https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
what permissions are required to run az ad app update ?
The documentation guides to configure the AAD app from creation. If the AAD app was created by another one, the creator should explicitly add the updater as a owner of the AAD app.
This command is used to check who owns this AAD app
az ad app owner list --id ${APPLICATION_ID} -o table
This command will help to add an owner to the AAD app
az ad app owner add --id ${APPLICATION_ID} --owner-object-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
@yuwzho I tested and I still fail with the same error message. Looking at the AAD docs even https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#directory-writers does not seem to be enough. I wonder if being Tenant Global Admin is the only way to run that az ad app update command ?
https://learn.microsoft.com/en-us/graph/permissions-reference#directory-permissions :
The Directory.ReadWrite.All permission grants the following privileges:
Full read of all directory resources (both declared properties and navigation properties) Create and update users Disable and enable users (but not Company Administrator) Set user alternative security ID (but not administrators) Create and update groups Manage group memberships Update group owner Manage license assignments Define schema extensions on applications Manage directory settings Manage admin consent workflow configuration (but not whether admin consent is required or who is authorized to grant admin consent) Note:
No rights to reset user passwords. Updating another user's businessPhones, mobilePhone, or otherMails property is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader and Reports Reader. For more details, see Helpdesk (Password) Administrator in Azure AD available roles. This is the case for apps granted either the User.ReadWrite.All or Directory.ReadWrite.All delegated or application permissions. No rights to delete resources (including users or groups). Specifically excludes create or update for resources not listed above. This includes: application, oAuth2PermissionGrant, appRoleAssignment, device, servicePrincipal, organization, domains, and so on.
It looks like the App running the GitHub Runner should have Application.ReadWrite.All permission, this should be documented in the ASA docs.
https://learn.microsoft.com/en-us/graph/permissions-reference#directory-permissions
Application.ReadWrite.All
Delegated bdfbf15f-ee85-4955-8675-146e8e5296b5
Application 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9
https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications
az ad app permission add --api 00000003-0000-0000-c000-000000000000 --api-permissions bdfbf15f-ee85-4955-8675-146e8e5296b5=Scope --id $SPN_APP_ID
Invoking `az ad app permission grant --id <GUID of you $SPN_APP_ID 42424242424242424242442> --api 00000003-0000-0000-c000-000000000000 --scope`
az ad app permission grant --id ${SPN_APP_ID} --api 00000003-0000-0000-c000-000000000000 --scope --id ${SSO_APP_ID}
az ad app permission admin-consent --id ${SPN_APP_ID}
I now hit
The remained resource quota(cpu: 0, memory: 0) is insufficient,please retry with smaller size of build resourceRequests, retry after the previous build process completed or increased your build agent pool size
It looks like the App running the GitHub Runner should have Application.ReadWrite.All permission, this should be documented in the ASA docs.
https://learn.microsoft.com/en-us/graph/permissions-reference#directory-permissions Application.ReadWrite.All Delegated bdfbf15f-ee85-4955-8675-146e8e5296b5 Application 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9 https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications
az ad app permission add --api 00000003-0000-0000-c000-000000000000 --api-permissions bdfbf15f-ee85-4955-8675-146e8e5296b5=Scope --id $SPN_APP_ID
Invoking `az ad app permission grant --id <GUID of you $SPN_APP_ID 42424242424242424242442> --api 00000003-0000-0000-c000-000000000000 --scope`
az ad app permission grant --id ${SPN_APP_ID} --api 00000003-0000-0000-c000-000000000000 --scope --id ${SSO_APP_ID} az ad app permission admin-consent --id ${SPN_APP_ID}
I am very happy to see you figure it out! We will note these in our documentation. For the resource quota issue in build service, we are now working on an enhancement. It will support a larger build agent pool sku. In addition, even the agent pool is full in use, you can still put some builds in a queue to wait former build finished, unless there is too many builds wait in a queue.
correction, I think the scope should be set to the SSO App ID
az ad app permission grant --id ${GitHub_Runner_APP_ID} --api 00000003-0000-0000-c000-000000000000 --scope --id ${SSO_APPLICATION_CLIENT_ID}
az ad app permission admin-consent --id ${SPN_APP_ID}
To be tested and documented
it still does not work
@ezYakaEagle442 What is current error message?
doc has been updated
at https://learn.microsoft.com/en-us/azure/spring-apps/quickstart-configure-single-sign-on-enterprise#create-and-configure-an-application-registration-with-azure-active-directory, the doc states :
but this --reply-urls arg does not exist, I guess it should be --web-redirect-uris or --public-client-redirect-uris ? I use CLI 2.42.0
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.