Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support az ad app permission admin-consent being called by a service principal #10403

Closed
sam-cogan opened this issue Sep 3, 2019 · 12 comments
Closed

Support az ad app permission admin-consent being called by a service principal #10403

sam-cogan opened this issue Sep 3, 2019 · 12 comments
Assignees
@jiasli
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request Graph az ad Service Attention This issue is responsible by Azure service team.
Milestone
Jul 2021 (2021-08...

Comments

@sam-cogan
Copy link

Is your feature request related to a problem? Please describe.
Based on the discussion here I understand it is not possible to have a service principal run the az ad app permission admin-consent CLI command. This is a major blocker to being able to fully automate AKS deployments that use Azure AD integration, as the apps you create for this need consent.

Describe the solution you'd like
Service Principals able to run the az ad app permission admin-consent command

Describe alternatives you've considered
The only current workaround is to run a deployment as a user, which is no good for automated CI/CD

Additional context
@jiasli jiasli added the Graph az ad label Sep 4, 2019
@triage-new-issues triage-new-issues bot removed the triage label Sep 4, 2019
@jiasli jiasli self-assigned this Sep 4, 2019
@psyrus
Copy link

psyrus commented Sep 4, 2019

Agreed, this single limitation is stopping our automation of the advanced networking features in AKS cluster deployments through automated pipelines... it always has to have a human in the loop for just this one step.

@jiasli jiasli added Feature Request Service Attention This issue is responsible by Azure service team. labels Sep 11, 2019
@jiasli
Copy link
Member

jiasli commented Sep 11, 2019

Thank you for raising this feature request. We will look into it.

@rmcolbert
Copy link

This is also blocking CI/CD for rolling out new Azure Functions w/ RBAC

@haroldrandom haroldrandom added Feature Request Graph az ad Service Attention This issue is responsible by Azure service team. labels Oct 25, 2019
@farahgara1794
Copy link

I got the same problem to automate AkS creation using terraform

@TechnologyAnimal
Copy link

I've been making a huge push to begin leveraging AKS as the container platform of choice for my organization. Unfortunately, this issue is going to delay or possibly prevent the adoption of AKS entirely. We need to be able to have end-to-end automation for provisioning and configuring AKS. Can this issue be worked around in any way, such as making calls against the REST API?

@yonzhan yonzhan added this to the S162 milestone Oct 31, 2019
@cloudpea
Copy link

cloudpea commented Nov 7, 2019

We are unable to automate the AAD integration with our AKS cluster due to this limitation.

@yonzhan yonzhan modified the milestones: S162, S163 Dec 15, 2019
@yonzhan yonzhan modified the milestones: S163, S164 Jan 2, 2020
@yonzhan yonzhan modified the milestones: S164, S165 Feb 1, 2020
@MarcelT-NL
Copy link

I got the same problem to automate AkS creation using terraform

Same here. Blocks CI/CD for us with automatic nightly builds/tests

@jiasli jiasli mentioned this issue Feb 4, 2020
Closed
@yonzhan yonzhan modified the milestones: S165, S166 Feb 15, 2020
@yonzhan yonzhan modified the milestones: S166, Backlog Mar 7, 2020
@jiasli
Copy link
Member

jiasli commented Mar 9, 2020
edited
Loading

Duplicate of #12137

Granting Delegated Permission and Application Permission called by a Service Principal is now supported using Microsoft Graph API with az rest.

Please check #12137 (comment) for more information.

@pmatthews05
Copy link

Want this feature too to automate using pipelines.

@sam-cogan
Copy link
Author

sam-cogan commented Jun 13, 2020
edited
Loading

FYI it is now possible to grant consent through the REST API -See here.

@pmatthews05
Copy link

@sam-cogan I saw this blog post and this is only for Delegate permissions. It was the application permissions I wanted to automate the grants for.
However, through that blog post, and bit of spare time at the weekend, I was able to understand how the App Registration / Service Principals work.

With the new permissions of AppRoleAssignment.ReadWrite.All available, it is now possible to do AppRoles as well as Oauth2Permissions.

I have put together a github project https://github.com/pmatthews05/CFAppOnlyGrantPermissions with the instructions in the readme.md file. I will get round to writing a blog post within the next week to explain the code.

@jiasli
Copy link
Member

jiasli commented Jun 16, 2020

Hi @pmatthews05,

It was the application permissions I wanted to automate the grants for.

We do support granting Application Permissions with az rest. Please check my comment at #12137 (comment).

@azure-sdk azure-sdk added the customer-reported Issues that are reported by GitHub users external to the Azure organization. label Sep 24, 2020
@jiasli jiasli closed this as completed Jul 8, 2021
@jiasli jiasli modified the milestones: Backlog, Jul 2021 (2021-08-03) Jul 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request Graph az ad Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
Jul 2021 (2021-08-03)
Development

No branches or pull requests