question

NikunjBadjatya-8851 avatar image
0 Votes"
NikunjBadjatya-8851 asked NikunjBadjatya-8851 commented

Azure get list of roles assigned to service principal using Java

  1. I have an App1 (MultiTenant) which is in HomeTenant1 and has Clientid1.

  2. This App1 is registered as Service Principal in Tenant2.

  3. This App1 was then assigned few roles in Tenant2 on Subscription level scope. Ex. Contributor role on Subs2 of Tenant2.

  4. I want to determine through Java SDK how to get list of roles assigned to this SP on Tenent2.

This is possible to do via az cli
az role assignment list --all --assignee <app client id>


But we want to get this via Java SDK.
Following is the code snipped which we tried.

 public class AzureRoles {
     private final  static String TENANT_ID = "redacted"; //target tenant
     private final static String CLIENT_ID = "redacted"; // From apps home tenant
     private final static String SUBSCRIPTIONID = "redacted"; //target tenant
     private final static String CLIENT_SECRET = "redacted"; // From apps home tenant
    
    
     public static void main(String []args) throws Exception {
         try {
             AzureProfile profile = new AzureProfile(TENANT_ID, SUBSCRIPTIONID, AzureEnvironment.AZURE);
             ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()
                     .clientId(CLIENT_ID)
                     .clientSecret(CLIENT_SECRET)
                     .tenantId(TENANT_ID)
                     .build();
             System.out.println(clientSecretCredential);
             System.out.println(profile.getSubscriptionId());
             AzureResourceManager azureResourceManager = AzureResourceManager
                     .authenticate(clientSecretCredential, profile)
                     .withSubscription(SUBSCRIPTIONID);
             System.out.println(azureResourceManager);
             RoleDefinition roleDefinition = azureResourceManager.accessManagement().roleDefinitions()
                     .getByScopeAndRoleName("subscriptions/" + profile.getSubscriptionId(), "Contributor");
             StringBuilder builder = new StringBuilder()
                     .append("Role Definition: ").append(roleDefinition.id())
                     .append("\n\tName: ").append(roleDefinition.name())
                     .append("\n\tRole Name: ").append(roleDefinition.roleName())
                     .append("\n\tType: ").append(roleDefinition.type())
                     .append("\n\tDescription: ").append(roleDefinition.description())
                     .append("\n\tType: ").append(roleDefinition.type());
    
             Set<Permission> permissions = roleDefinition.permissions();
             builder.append("\n\tPermissions: ").append(permissions.size());
             for (Permission permission : permissions) {
                 builder.append("\n\t\tPermission Actions: " + permission.actions().size());
                 for (String action : permission.actions()) {
                     builder.append("\n\t\t\tName :").append(action);
                 }
                 builder.append("\n\t\tPermission Not Actions: " + permission.notActions().size());
                 for (String notAction : permission.notActions()) {
                     builder.append("\n\t\t\tName :").append(notAction);
                 }
             }
    
             Set<String> assignableScopes = roleDefinition.assignableScopes();
             builder.append("\n\tAssignable scopes: ").append(assignableScopes.size());
             for (String scope : assignableScopes) {
                 builder.append("\n\t\tAssignable Scope: ")
                         .append("\n\t\t\tName :").append(scope);
             }
    
             System.out.println(builder.toString());
         } catch (Exception e) {
             System.out.println(e.getMessage());
             e.printStackTrace();
         }
    
    
     }
 }


Its throwing NPE at AzureResourceManager azureResourceManager declaration.

Any ideas on how to get this done in Java SDK ?

azure-ad-tenantazure-ad-msal
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Any pointers anyone ?

0 Votes 0 ·

1 Answer

CristianSPIRIDON72 avatar image
0 Votes"
CristianSPIRIDON72 answered NikunjBadjatya-8851 commented

If Java sdk doesn't have the option you can use graph api:
https://docs.microsoft.com/en-us/graph/api/serviceprincipal-list-approleassignments?view=graph-rest-1.0&tabs=http

Hope this helps.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It didnt help.
At this point, we only know the App's Client ID in HomeTenant.
Is there a solution which does not require SP's ObjectId in Tenant2 ?

0 Votes 0 ·