1

I have a SPN/AppRegistration, that has contributor access to subscription 1, 2.

This SPN will be used by an external service to access the subscriptions1,2 to deploy resources.

How can this external service list all the subscriptions that the SPN has contributor access to?

JayakrishnaGunnam-MT
  • 1,548
  • 1
  • 5
  • 9
Jerald Baker
  • 1,121
  • 1
  • 12
  • 48

1 Answers1

2

There is not an endpoint which can list all the subscriptions of an SPN in Azure Rest API.

The quickest way to check which subscriptions the SPN has access to is using Azure CLI.

Sign in with the SPN:

az login --service-principal --username APP_ID --password PASSWORD --tenant TENANT_ID

Then all the subscriptions which the SPN has access to will be listed.

But it won't show the Role name "contributor". So just make sure that the SPN doesn't have any roles other than "contributor".

If the SPN has a role which is not "contributor" for a subscription, the subscription will also be listed here. In this case, please select the subscription in Powershell and then use az role assignment list --query "[?principalName=='{SPN_name}'].roleDefinitionName" to see its role in this subscription.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20