Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[FEATURE REQ] App role assignment

See original GitHub issue

Is your feature request related to a problem? Please describe. I’m automating applications setup and role assignments. Currently I can do most of it via az, but there’s no .NET or the CLI alternative to PowerShell’s App Role Assignment.

Describe the solution you’d like I’d like to be able to create app role assignments w/o introducing PowerShell into the mix, preferrably via IAuthorizationManagementClient or similar interface.

Describe alternatives you’ve considered az CLI feature request for this already exists, but not addressed: https://github.com/MicrosoftDocs/azure-docs/issues/33494 PowerShell is not an option, given this is a small new part of a large infrastruture setup that’s already being managed from Linux w/o it. I considered importing PowerShell’s AzureAD DLLs for this, but it looks too complicated for a single task.

Additional context N/A

Information Checklist

Description Added
Expected solution specified

Issue Analytics

State:
Created 4 years ago
Reactions:53
Comments:5 (1 by maintainers)

Top GitHub Comments

1reaction

krispennercommented, Jun 10, 2020

Similarly I would like to create service principal app role assignments. This is nearly identical to the user flow requested, please add this at the same time. New-AzureADServiceAppRoleAssignment

For completeness, you could also support groups as well, but this is not required for me yet. New-AzureADGroupAppRoleAssignment

Example powershell script for background:

function Add-ManagedIdentityToApplicationRole($ApplicationName, $RoleName, $IdentityName)
{    
    Write-Host "Ensuring managed identity $IdentityName is assigned the role $RoleName in application $ApplicationName."

    # Get the object ID of the managed identity's service principal
    Write-Host "Retrieving the service principal's object ID for the managed identity $IdentityName..."
    $msi = Get-AzureADServicePrincipal -Filter "DisplayName eq '$IdentityName'"
    $msiId = $msi.ObjectId
    Write-Host "Retrieved the service principal's object ID $msiId for the managed identity $IdentityName."

    # Get the object ID of the application's service principal (enterprise application)
    Write-Host "Retrieving the service principal's object ID for the enterprise application $ApplicationName..."
    $app = Get-AzureADServicePrincipal -Filter "DisplayName eq '$ApplicationName'"
    $appId = $app.ObjectId
    Write-Host "Retrieved the service principal's object ID $appId for the enterprise application $ApplicationName."

    # Get the role ID of the application's role to be assigned
    Write-Host "Retrieving the role ID for the role $RoleName in application $ApplicationName..."
    $app = Get-AzureADApplication -Filter "DisplayName eq '$ApplicationName'"
    $roleId = ($app.AppRoles | Where-Object { $_.Value -eq $RoleName } | Select -First 1).Id
    Write-Host "Retrieved the role ID $roleId for the role $RoleName in application $ApplicationName."

    # Check if the managed identity has already been assigned the app role in the enterprise application
    Write-Host "Checking if managed identity $IdentityName is already assigned the role $RoleName in application $ApplicationName..."
    if ((Get-AzureADServiceAppRoleAssignment -ObjectId $appId -All $true | Where-Object { $_.PrincipalId -eq $msiId -and $_.Id -eq $roleId }).Count -ge 1)
    {
        # Role is already assigned
        Write-Host "Managed identity $IdentityName is already assigned the role $RoleName in application $ApplicationName."
    }
    else
    {
        # Role is not already assigned, so assign the app role of the application to the web app's managed identity
        Write-Host "Managed identity $IdentityName is not already assigned the role $RoleName in application $ApplicationName."
        Write-Host "Assigning managed identity $IdentityName the role $RoleName in application $ApplicationName..."
        New-AzureADServiceAppRoleAssignment -ObjectId $msiId -Id $roleId -PrincipalId $msiId -ResourceId $appId
        Write-Host "Assigned managed identity $IdentityName the role $RoleName in application $ApplicationName."
    }
}

0reactions

et1975commented, Mar 17, 2022

az ad CLI would indeed be good place for this functionality and since it has special relationship with AAD avoid the headache of setting up the correct permissions. This is SDK repo, so not really suitable for az cli discussions, but here’s the workaround you could use: az rest to make calls to graph APIs. For example:

BODY="{\"id\":\"$ROLE_ID\",\"principalId\":\"$PRINCIPAL_ID\",\"resourceId\":\"$APP_OBJ_ID\"}"
az rest --method post --uri "https://graph.windows.net/$TENANT_ID/servicePrincipals/$PRINCIPAL_ID/appRoleAssignments?api-version=1.6" --body "$BODY" --headers "Content-type=application/json"