Azure multi subscription RBAC for a service princpal

Question

I have 2 Azure subscriptions. Subscription_1 is used to create a VNET/SUBNET. Subscription_2 is used to create a VM inside that VNET.

To do the deployment, I am creating 2 Services principals. SPN_1 will deploy the VNET/SUBNET. SPN_2 will deploy the VM.

az ad sp create-for-rbac --name SP_1  --role contributor  --scopes /subscriptions/mySubscriptionID_of_Subscription_1 

az ad sp create-for-rbac --name SP_2  --role contributor  --scopes /subscriptions/mySubscriptionID_of_Subscription_2

However, for SPN_2 To deploy the VM , I need SP_2 to have "network contributor" RBAC to Subscription_1.

I looked at the documentation, and it is very poor and does not give examples of update : https://learn.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-update

How can I update the SP_1 to do so ? What are the CLI to achieve this ?

score 1 · Accepted Answer · answered Jun 09 '23 at 07:26

1

You dont need to create multiple service principal:

Create one service principal using az ad sp create-for-rbac.
Assign role using az role assignment create.

Here is a powershell example:

# Create service principal
$spCredentials = az ad sp create-for-rbac --name SP_1 | ConvertFrom-Json

# Get SP details
$spDetails = az ad sp show --id $spCredentials.appId | ConvertFrom-Json

# Create contributor role assignment for subscription1
az role assignment create --assignee-principal-type ServicePrincipal --assignee-object-id $spDetails.id --role "contributor" --scope /subscriptions/mySubscriptionID_of_Subscription_1

# Create network contributor role assignment for subscription1
az role assignment create --assignee-principal-type ServicePrincipal --assignee-object-id $spDetails.id --role "network contributor" --scope /subscriptions/mySubscriptionID_of_Subscription_1

# Create contributor role assignment for subscription2
az role assignment create --assignee-principal-type ServicePrincipal --assignee-object-id $spDetails.id --role "contributor"--scope /subscriptions/mySubscriptionID_of_Subscription_2

answered Jun 09 '23 at 07:26

Thomas

24,234
6
81
125

Thank ! What would be the cli if let us say SP_1 and SP_2 would be in seperate tenant ? – MouIdri Jun 12 '23 at 05:19
does sp1 only needs role in tenant1 and sp2 in tenant2 ? – Thomas Jun 12 '23 at 07:21
Subscription 1 in tenant 1 has the VNET , subscription 2 in tenant 2 will own the VMs. I am struggling with this.. – MouIdri Jun 13 '23 at 07:37
you means SP2 needs permissions over the vnet in sub1 in tenant1 ? – Thomas Jun 13 '23 at 08:08
cross tenant access is quite a different approach: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/cross-tenant-access-overview – Thomas Jun 13 '23 at 08:09
Feel like a different question – Thomas Jun 13 '23 at 08:09
Ok.. I have legacy tenant from a company we bought and I wanted to incorporate some of the network that are matching and deploy VMs also. Bit is seems to be a complex route.. – MouIdri Jun 13 '23 at 17:04
1

I accept the answer – MouIdri Jun 13 '23 at 17:04

Azure multi subscription RBAC for a service princpal

1 Answers1