question

Rotembenhemo-6455 avatar image
0 Votes"
Rotembenhemo-6455 asked SaurabhSharma-msft commented

arm - role for enterprise application

hello,

I created an Enterprise application in the Azure Active Directory. I gave it manually Reader role under my subscription -> access control (Iam).

I am searching for a way to add more roles to the app using azure ARM (for automation).

in my search I found this:
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[guid(some string)]",
"properties": {
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'roleId')]",
"principalId": "objectId"
}
}
]

when I give the "objectId" as a parameter (which I took manually from the portal) it works. and I see the new role under the subscription access control.

is there a way to get this objectId by some function of ARM? without getting the id as a parameter?

I read that I can use the function "[reference(resourceId()).principalId]" but I don't know which values I need to insert for my Enterprise application. I have app (client id), tenant id, subscription id, client secret. which provider do I need to give? ResourceType? I did not find any record about it.. does this function can be use for an Enterprise application?

I also tried to take the objectId using CLI comment: $(az ad sp show --id appId --query 'objectId'), and try to use it in the ARM with deploymentScripts - I created userAssignedIdentities for it and gave it contributor role but I am getting an error: Insufficient privileges to complete the operation...




azure-ad-app-development
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered SaurabhSharma-msft commented

Hi @rotembenhemo-6455,

Thanks for using Microsoft Q&A !!
It is unfortunately not possible to get service principal Id directly in ARM template. If the service principal is of a managed identity supported service then you can use Identity.principalId to refer to the same. So, if managed identity is of a VM then you can use something like below -
"[reference(resourceId('Microsoft.Compute/virtualMachines', variables('vmName')),'2019-12-01', 'Full').identity.principalId]"
Please refer to the documentation over here.

Also, you can directly refer User Assigned Managed Identities in your ARM template by using resource type as 'Microsoft.ManagedIdentity/userAssignedIdentities' and explicitly mentioning principalType as "ServicePrincipal". Please refer to the documentation for details. Please let me know if you see any issues with this.

Thanks
Saurabh


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @rotembenhemo-6455,
I have not heard back from you. Did my answer solve your issue? If so, please mark as accepted answer. If not, please let me know how I may better assist.

Thanks
Saurabh

0 Votes 0 ·

Hi @rotembenhemo-6455,

We haven't heard back from you. Just wanted to check if you are you still facing the issue? In case If you already found a solution, would you please share it here with the community? Otherwise, let us know and we will continue to engage with you on the issue.

Thanks
Saurabh

0 Votes 0 ·