search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.24k stars 21.4k forks source link

RBAC Role/Permission for sending e-mails using Azure Communication Services #109461

Open MPapst opened 1 year ago

MPapst commented 1 year ago

I did not find any information about which permissions or role is necessary to send e-mails using Azure RBAC in Communication Services E-Mail. It at least works with the Contributor role, but it cannot be the goal to add that role to services that just want to send e-mails.

Update: I found this information on Stack Overflow:

Assign a security principal (user, group, service principal, or managed identity) that has been assigned a role with the Microsoft.Communication/CommunicationServices/Write permission (e.g. Contributor role or a custom role)

on the following thread, would be good to have it in the docs also: https://stackoverflow.com/questions/75532126/azure-communication-services-how-do-i-authenticate-against-azure-iam

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Naveenommi-MSFT commented 1 year ago

@MPapst Thanks for your feedback! We will investigate and update as appropriate.

RyanHill-MSFT commented 1 year ago

Apologies for the delayed response @MPapst. I have assigned the issue to the content author to investigate further and update the document as appropriate.

EDIT: RBAC is detailed under Authenticate to Azure Communication Services > Azure AD Authentication which links to a hero sample. I really believe the permission listed in here is for managing service, not for sending the email.

I believe what you're looking for is How Email authentication works which explains how authentication works against the sender.

If you want only specific users within your AD tenant to access properties of the resource to send the email, then you would use an appropriate RBAC role. I didn't see anything listed but I've reached out to the team.

Let me know if you have any further questions.

MPapst commented 1 year ago

Thanks for putting it forward. I am actually looking for the appropriate RBAC role to assign to a service principal to send e-mails and haven't found one - nor did I find which is the required action/dataAction for the role in order to create a custom one.

bashan-git commented 1 year ago

Hi We currently we do not support RBAC for our resources. I am taking this as a new feature ask.

MPapst commented 1 year ago

Hi @bashan-git,

its in the SDK but not supported?

new Azure.Communication.Email.EmailClient(new Uri(""), new DefaultAzureCredential())

https://github.com/Azure/azure-sdk-for-net/blob/2583498764b7b9961dc917d1f25b232b7ca7dc5c/sdk/communication/Azure.Communication.Email/src/EmailClient.cs#L66

caseymullineaux commented 1 year ago

It says here that DefaultAzureCredential() can be used for authentication, however there's no indication of what permissions are required on the resource.

dstarkowski commented 1 year ago

There's no built-in role (other than Contributor). The minimal set of permissions required for sending email are:

These need to be set on Azure Communication Service resource only (no need to set it on any email related resources).

Quite high IMO. There are no data actions.

I tested it with managed identity and service principal.

Here's the custom role definition:

{
  "properties": {
    "roleName": "Communication Service Mail Sender",
    "description": "Minimal set of permissions required to send mail with Azure Communication Service.",
    "assignableScopes": [
      "/providers/Microsoft.Management/managementGroups/{management-group-name}" // update with your scopes
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Communication/CommunicationServices/Write",
          "Microsoft.Communication/CommunicationServices/Read",
          "Microsoft.Communication/EmailServices/read"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}
MPapst commented 1 year ago

@RyanHill-MSFT @bashan-git Can you please do me a favor and check that again? I found a piece of documentation showing that it is supported using RBAC Authentication for E-Mail Communication Services: https://learn.microsoft.com/en-us/azure/communication-services/concepts/authentication#authentication-options

fleed commented 10 months ago

Run into the same issue. The custom role provided by @dstarkowski seems to work, but only if directly assigned to my user (testing locally using the Az cli credentials). If I assign the role to group I belong to, I get a 401 error.

It's quite frustrating to work with a service if this is the quality of its documentation.

eliog commented 8 months ago

I'm also having the same issue reported by @fleed where I have to assign the user to the role and not the group.

I tested using the "Contributor" role. I have to specifically assign my user to the role even though groups I belong to are assigned to the "Contributor" role already.

neok-g commented 6 months ago

Same issue here reported by @fleed. Should work via securitygroups as well like with other Azure resources.

omni-htg commented 6 months ago

I'd like to join in the request.

Not only to improve the docs so it's much clearer what to do with both the SDK in terms of DefaultAzureCredential (as previously mentioned with the EmailClient) and the Azure Communications Identity packages -- but also have Azure default / premade Roles for the different ACS scenarios.

Appreciate the help and time from everyone involved.

r-dunning commented 5 months ago

https://learn.microsoft.com/en-us/azure/communication-services/how-tos/managed-identity?tabs=portal%2Cdotnet The above docs seem backwards too, we should be assigning permissions to our MIs, rather than attaching the Identity to the provider, no?

PIrojahPerbak commented 4 months ago

I'm looking for a role too

GillesTourreau commented 1 month ago

I agree with @omni-htg, it will be great if Microsoft can provide some simple built-in roles to send e-mail with ACS !

I tried the solution of @dstarkowski it is work, but I removed the Microsoft.Communication/EmailServices/read permission. I do not need at my side 🤷... @dstarkowski, do you remember why do you need the Microsoft.Communication/EmailServices/read permission ?

My custom role definition:

{
  "properties": {
    "roleName": "Communication Service Mail Sender",
    "description": "Minimal set of permissions required to send mail with Azure Communication Service.",
    "assignableScopes": [
      "/providers/Microsoft.Management/managementGroups/{management-group-name}" // update with your scopes
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Communication/CommunicationServices/Write",
          "Microsoft.Communication/CommunicationServices/Read"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}
dstarkowski commented 3 weeks ago

@GillesTourreau It was a while, but I think API complained that this specific one was missing. I found it really strange because in my deployment Communication Service and Email Service are in two separate subscriptions and I only had to assign the role on the Communication Service. Maybe it was not supposed to be required and was fixed since.