What we are trying to accomplish:
We are using Azure ARM Templates to deploy new applications. When we deploy these new applications, we need to register them with our Azure AD for authentication purposes. We would like to include this app registration in our template along with the deployment of the application resources.
It looks like Azure Deployment Scripts are the way to register new apps with Azure AD in our ARM template. In our Deployment Script, the "scriptContent" I am attempting to run is simply az ad app create --display-name ${appName}
The Problem
Permissions. We are getting DeploymentScriptError: Insufficient privileges to complete the operation. I proceeded to create a Managed Identity and added az login --identity -u ${managedIdentityId} at the beggining of the script but the same error persisted. It seems the managed identity does not have permission to create an app registration and I am unsure how to give it this permission
I found this article which provides a PowerShell script for granting the necessary permissions to the managed identity, however, the author does not explain what "GraphAppId" is or where it is coming from.
Any help with this would be tremendously appreciated
We are pretty new to ARM templates but this is what we currently have:
main.bicep
targetScope = 'subscription'
param location string = 'eastus'
resource myResourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
name: 'rg-test1'
location: location
}
resource managedId 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = {
name: 'mi-deployscripttest'
scope: resourceGroup('DefaultResourceGroup-EUS')
}
module deploymentScript 'modules/deploymentScript.bicep' = {
scope: myResourceGroup
name: 'deploymentScript'
params: {
appName: 'testApp1'
location: location
managedIdentityId: managedId.id
managedIdentityPrincipalId: managedId.properties.principalId
}
}
deploymentScript.bicep
param location string
param appName string
param managedIdentityId string
param managedIdentityPrincipalId string
var scriptContent = format('''
az login --identity -u {0}
az ad app create --display-name {1}
''', managedIdentityId, appName)
resource deploymentScriptRoleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
name: guid('basicDeploymentScriptDefinition')
properties: {
roleName: 'deployment-script-minimum-privilege-for-deployment-principal'
description: 'Configure least privilege for the deployment principal in deployment script'
type: 'customRole'
permissions: [
{
actions: [
'Microsoft.Storage/storageAccounts/*'
'Microsoft.ContainerInstance/containerGroups/*'
'Microsoft.Resources/deployments/*'
'Microsoft.Resources/deploymentScripts/*'
'Microsoft.Storage/register/action'
]
}
]
assignableScopes: [
resourceGroup().id
]
}
}
resource deploymentScriptRoleAssignment 'Microsoft.Authorization/roleAssignments@2015-07-01' = {
name: guid('basicDeploymentScriptAssignment')
properties: {
principalId: managedIdentityPrincipalId
roleDefinitionId: deploymentScriptRoleDefinition.id
}
}
resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
name: 'deploymentScriptTest1'
location: location
kind: 'AzureCLI'
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${managedIdentityId}': {}
}
}
properties: {
azCliVersion: '2.9.1'
retentionInterval: 'P1D'
scriptContent: scriptContent
cleanupPreference: 'Always'
}
dependsOn: [
deploymentScriptRoleAssignment
]
}
