I wish to grant a third-party application API access to my Azure tenant for purposes of installing a TLS certificate on a certain website ("App Service," in Azure terminology).
However, assigning the Contributor role seems a bit excessive. I don't want to give away the keys to the kingdom, so to speak.
Is there a lesser role that I can use that will accomplish this goal? I'd like to apply the Principle of Least Privilege here.
-- EDIT --
- Desired end state
A security role configuration that permits the third-party application to upload and install a TLS certificate on an App Service, but nothing more.
- The specific problem
The Contributor role grants near-system-wide permissions within the tenant, permissions that the application doesn't need (and therefore shouldn't have).
- Information about the environment
The application is connecting to Azure via either the REST API or the .NET SDK, and thus requires the Service Principal's ID and Client Secret, as well as the Tenant ID.
- Attempted solutions
I've examined the official documentation in search of a role specific to the purpose—limited to configuring an App Service—but I've not found one. By posting here I'm hoping to find someone with direct experience with the same scenario (a pretty common one, I would imagine), and who has solved it to his satisfaction.
