2

I would like to create a least permission custom role in Azure to assign to a service principal that only allows the service principal to register Azure AD applications and service principals.

The "Contributor" standard role has all the needed rights but also a great many that are not needed, and I can't find anything in the list of available operations that seems to correspond to application registrations which could be used to produce a custom role.

It turns out the question is misguided - I had thought the assignment of Microsoft.Azure.ActiveDirectory permissions to the service principal was insufficient to create and edit app registrations. But it turns out I was just running up against a 5-10 minute lag between permissions being set in the Azure portal and the permissions taking effect. Granting the contributor role to the service principal just happened to take enough time for the original permissions to take effect.

Simon Hardman
  • 476
  • 4
  • 14
  • Be careful not to confuse [Azure RBAC roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview), [Azure AD application permissions](https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-permissions-and-consent#types-of-permissions), and [Azure AD *directory* roles](https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles). These are different things, which give permissions in different systems. – Philippe Signoret Nov 06 '18 at 10:04

2 Answers2

1

AFAIK, you would not need to create a custom role in Azure to allow registering Azure AD Applications and Service Principals.

Who can register an application through Azure AD is controlled by user's membership in Azure Active Directory itself and their "Directory Role" in that Azure AD for some operations but not the usual RBAC built-in or custom roles which you are looking at (as you mention the list of ARM Resource Provider operations in your question)

Please refer to this Microsoft Documentation: Who has permission to add applications to my Azure AD instance?

UPDATE: Answering query from comments after Simon's edit to original question.

How to provide application registration privileges to a service principal?

Again, you will not use RBAC roles or create custom roles as you mention in your question but instead provide specific "application permissions" to the relevant Service Principal in Azure AD. I'll give steps below.

  1. Go to your Azure AD, "Registered applications"
  2. Find your service principal (may need to look at all applications instead of just my)
  3. Add required permissions as shown below:

enter image description here

enter image description here

Once you've selected the right permissions and done. Please click on "Grant Permissions" because these permissions need Admin consent.

enter image description here

Rohit Saigal
  • 9,317
  • 2
  • 20
  • 32
  • Sorry, I omitted that the role is for assignment to a service principal. Will look into your suggestions – Simon Hardman Nov 06 '18 at 02:41
  • @SimonHardman, no worries, the concepts stay similar, I had answered something very similar to your query in this SO post a little earlier.. https://stackoverflow.com/questions/53009509/service-principal-privileges-for-app-registration-creation/53014616#53014616. I'll edit my answer to include that information. You can try it out. – Rohit Saigal Nov 06 '18 at 02:44
  • @SimonHardman I've updated my answer and done a brief test at my end as well.. I created an app using the service principal (logged in as the service principal) and app registration worked fine. Do notice the application permissions I'm using, they are just a little different than the other similar post I mentioned above – Rohit Saigal Nov 06 '18 at 03:53
0

Use a custom AAD role as described here.

This is preferable to granting the built-in "Application Developer" role because it's too permissive and has the 250 App limit..

#Requires -Modules AzureADPreview
# 3 October 2020
# Connect-AzureAD

$ParameterList = @{
    DisplayName = 'Application Registration Creator'
    Description = 'Can create an unlimited number of application registrations.'
    TemplateId  = (New-Guid).Guid
    IsEnabled   = $true
    RolePermissions = @{
        allowedResourceActions = @(
            'microsoft.directory/applications/create'
            'microsoft.directory/applications/createAsOwner'
        )
    }
}

$customRole = New-AzureAdMSRoleDefinition @ParameterList
Sam Boutros
  • 21
  • 2