I have the the following cobbled together from various sources in my devops pipeline:
$MIName= "my-identity-test-mi"
$RGName = "my-identity-test-rg"
$Location = "eastus"
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$PermissionName = "Directory.Read.All"
New-AzResourceGroup -Name $RGName -Location $Location -Force
Install-Module -Name "Az.ManagedServiceIdentity" -Force
New-AzUserAssignedIdentity -ResourceGroupName $RGName -Name $MIName
Install-Module -Name "AzureAD" -Force
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, `
$context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, `
$null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, `
$context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, `
"https://graph.windows.net").AccessToken
Write-Output "ID $($context.Account.Id)"
Write-Output "Account $($context.Account)"
Write-Output "Type $($context.GetType())"
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id -MsAccessToken $graphToken
$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$MIName'")
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
I have given the service principal that my pipeline runs as the following permissions:
But when my pipeline runs I get:
Error occurred while executing NewServicePrincipalAppRoleAssignment
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: d06466ff-a2b9-4b3f-a5d8-43aa5e6e107c
DateTimeStamp: Sat, 17 Jul 2021 15:59:01 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
PowerShell exited with code '1'.
This is not a case of run it twice and it works as seen that issue referenced so I'm guessing I've not quite got the permissions of my devops service principal correct but can't for the life of me work out what those permissions should be!
Any advice appreciated
