0

I have a Powershell script which runs to set up Azure web apps, databases, etc. but before running the script, I have to do the following:

PS C:/> Login-AzureRmAccount

This pops up a GUI in which I have to manually add in my user, password, and my 2-factor authentication code. I eventually want to use that script as a part of a part of a build/deployment automation script.

I gleaned the following from a few articles about using a "service principal".

First I do:

PS C:\> Add-AzureRmAccount

In this call I have to put in my user, password, and authentication code

After that I have to do the following (even though I don't fully understand). 

$app = New-AzureRmADApplication -DisplayName "GGReal" -HomePage    "https://www.example.org/ggreal" -IdentifierUris     "https://www.example.org/ggreal" -Password "mysecretpass"

New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId

This seems to work:

Then I try this, and it fails. 

New-AzureRmRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName $app.ApplicationId

I got the following error: 

New-AzureRmRoleAssignment : AuthorizationFailed: The client jay@myemail.com' with object id '8ee9a6ec-yyyy-xxxx-xxxx-4ac0883f2a12' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/5ba06de5-xxxx-zzzz-yyyy-27f7d2c8bba6'.
At line:1 char:1
+ New-AzureRmRoleAssignment -RoleDefinitionName Reader -ServicePrincipa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : CloseError: (:) [New-AzureRmRoleAssignment], CloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand

What do I have to do to enable a scripted authorization without manual intervention?

Jay Godse
  • 15,163
  • 16
  • 84
  • 131

2 Answers2

1

According to the exception that it indicates that you don't has adequate permission to that. We can check active directory permissions following the document. Our account needs to have Microsoft.Authorization/*/Write access to assign an AD app to a role. That means our account should be assigned to the Owner role or User Access Administrator role. If not, please ask your subscription administrator to add you to User Access Administrator role. How to add or change Azure administrator roles please refer to the document.

After that please have a try to Automate login for Azure Powershell scripts with the following code.

$azureAplicationId ="Azure AD Application Id"
$azureTenantId= "Your Tenant Id"
$azurePassword = ConvertTo-SecureString "strong password" -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)
Add-AzureRmAccount -Credential $psCred -TenantId $azureTenantId  -ServicePrincipal

enter image description here

I also find some related documents about creating authentication and Built-in roles:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles#roles-in-azurel

Tom Sun - MSFT
  • 24,161
  • 3
  • 30
  • 47
0

Well, you don't have permissions to assign that role to that serviceprincipal, you need appropriate rights. And those would be: Microsoft.Authorization/roleAssignments/write and scope /subscriptions/5ba06de5-xxxx-zzzz-yyyy-27f7d2c8bba6

You could either create a new Custom Role and assign it to your account, or assign something like Subscription Admin (not sure if its the least possible approach, but you can retract it later) to your account.

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • Is that something my Azure administrator would do? I'm not the "boss" of our Azure account, but I have a lot of privileges. – Jay Godse Dec 16 '16 at 19:11
  • Well, anyone with the required permissions, account you are logged in is clearly lacking those specific permissions – 4c74356b41 Dec 16 '16 at 19:12