hello,
I created an Enterprise application in the Azure Active Directory. I gave it manually Reader role under my subscription -> access control (Iam).
I am searching for a way to add more roles to the app using azure ARM (for automation).
in my search I found this:
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[guid(some string)]",
"properties": {
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'roleId')]",
"principalId": "objectId"
}
}
]
when I give the "objectId" as a parameter (which I took manually from the portal) it works. and I see the new role under the subscription access control.
is there a way to get this objectId by some function of ARM? without getting the id as a parameter?
I read that I can use the function "[reference(resourceId()).principalId]" but I don't know which values I need to insert for my Enterprise application. I have app (client id), tenant id, subscription id, client secret. which provider do I need to give? ResourceType? I did not find any record about it.. does this function can be use for an Enterprise application?
I also tried to take the objectId using CLI comment: $(az ad sp show --id appId --query 'objectId'), and try to use it in the ARM with deploymentScripts - I created userAssignedIdentities for it and gave it contributor role but I am getting an error: Insufficient privileges to complete the operation...