1

I am using ARM Deploymentscripts AzCli. Can we use az rest in ARM deployment scripts? I am getting Forbidden({"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation."

s-a-n
  • 767
  • 2
  • 9
  • 27
  • Can you post the section of the ARM template that you believe is giving you this issue? Also what are you trying to achieve as I am struggling to see the use of using the CLI in an ARM template. – blockingHD May 18 '21 at 21:44
  • `"scriptContent": "landingPageApp=$(az rest --method POST --headers \"Content-Type=application/json\" --uri https://graph.microsoft.com/v1.0/applications --body '{\"displayName\": \"LandingpageAppARM\"'"` – s-a-n May 18 '21 at 23:08
  • trying to create an app registration using `"type": "Microsoft.Resources/deploymentScripts",` and running above script – s-a-n May 18 '21 at 23:09
  • actually none of `az rest` command are working in the container – s-a-n May 18 '21 at 23:09

1 Answers1

0

I can reproduce your issue on my side, it means your user-assigned identity(MSI) does not have enough permissions to create the AD App via Microsoft Graph in your tenant.

To solve this issue, just give an AAD admin role e.g. Application administrator to the service principal of your MSI, follow the steps below.

1.Navigate to the Azure Active Directory in the portal -> Roles and administrators -> click Application administrator.

enter image description here

2.Click Add assignments -> Select member(s) -> search for the name of your MSI -> add it.

enter image description here

enter image description here

Note: You can also give the Microsoft Graph application permission Application.ReadWrite.All to the MSI instead of Application administrator, won't say too much here, if you are interested in it, let me know, I can post it.

Besides, if you just want to create the AD App with Azure CLI, actually no need to use az rest manually, you can use the built-in command az ad app create directly.

Test sample:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "identity": {
      "type": "string"
    },
    "utcValue": {
      "type": "string",
      "defaultValue": "[utcNow()]"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Resources/deploymentScripts",
      "apiVersion": "2020-10-01",
      "name": "runAzureCLI",
      "location": "[resourceGroup().location]",
      "kind": "AzureCLI",
      "identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
          "[parameters('identity')]": {
          }
        }
      },
      "properties": {
        "forceUpdateTag": "[parameters('utcValue')]",
        "AzCliVersion": "2.15.0",
        "timeout": "PT30M",
        "scriptContent": "landingPageApp=$(az rest --method POST --headers \"Content-Type=application/json\" --uri https://graph.microsoft.com/v1.0/applications --body '{\"displayName\": \"LandingpageAppARM\"}')",
        "cleanupPreference": "OnSuccess",
        "retentionInterval": "P1D"
      }
    }
  ]
}

enter image description here

enter image description here

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • oh right, il try and see what is the minimum permissions needed to do this. – s-a-n May 19 '21 at 03:16
  • 1
    thank @joy, i should have tried this. Application developer works too :-), thanks for pointing out! – s-a-n May 19 '21 at 03:23