question

Anoop0 avatar image
0 Votes"
Anoop0 asked PRADEEPCHEEKATLA-MSFT commented

[Data Lake: ACL permission] Mysterious Id added in ACL for Azure AD App

I am using Datalake: Connect by using Azure Active Directory (Azure AD) to authenticate DataLake to an AD app. Also adding ACL principal to same App (Ex. mockFunc....) to provide restricted access. When I am giving permission via Azure portal, system is adding a guid, marked in green. It's not object id of App neither Client Id.

Permissions are working perfectly when assigned from Azure Portal. But, I am facing issue to extract this Id when I am setting permission from code , (doc ref: Set the ACL of a directory)

I need this strange Id to set in following code.

IList<PathAccessControlItem> accessControlList
= PathAccessControlExtensions.ParseAccessControlList("user::---,group::---,other::---,user:<865bfefd-b-Mysterious-Id>:r-x");

I can only get get this id from inspecting the code on ACL window and extract developer windows of browser. When I use this in id code works perfectly.

How to get this Id associated to Azure AD App, as I need to work in different environment, I can't go to developer window every-time to get this strange id?

Datalake ACL
110976-image.png


AD App
111041-image.png




azure-data-lake-storageazure-ad-app-registrationazure-ad-app-management
image.png (41.9 KiB)
image.png (41.7 KiB)
image.png (35.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

PRADEEPCHEEKATLA-MSFT avatar image
0 Votes"
PRADEEPCHEEKATLA-MSFT answered PRADEEPCHEEKATLA-MSFT commented

Hello @AnoopKumar-7755,

Welcome to the Microsoft Q&A platform.

It's not Mysterious Id added in ACL for Azure AD App, and it's the object ID of the service principal associated with your registered application.

If the security principal is a service principal, it's important to use the object ID of the service principal and not the object ID of the related app registration.

Steps to get the object ID of the service principal:

Step1: Get the <Your App ID> of your app registered.

111300-image.png

Step2: To get the object ID of the service principal open the Azure CLI, and then use this command: az ad sp show --id <Your App ID> --query objectId. Make sure to replace the <Your App ID> placeholder with the App ID of your app registration.

111298-image.png

Just to verify: Azure Data Lake Gen2 account =>Manage ACL:

111267-image.png

For more details, refer to Access control lists (ACLs) in Azure Data Lake Storage Gen2.

Hope this helps. Do let us know if you any further queries.


  • Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

  • Want a reminder to come back and check responses? Here is how to subscribe to a notification.


image.png (38.3 KiB)
image.png (65.9 KiB)
image.png (56.0 KiB)
image.png (37.2 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks Pradeep for adding the answer. I can able to get the right Object Id from CLI

Still the question is why Object Id on Azure portal not matching to Object Id from CLI window. Both should be same, Isn't it?

0 Votes 0 ·

Hello @AnoopKumar-7755,

These both object ID are different.

As I explained in the above answer - object ID of the service principal and not the object ID of the related app registration.

111329-image.png

Hope this helps.


1 Vote 1 ·
image.png (22.2 KiB)
Anoop0 avatar image Anoop0 PRADEEPCHEEKATLA-MSFT ·

Thanks Pradeep for full explanation.

0 Votes 0 ·
Show more comments