Delegated permissions with a Client Secret by adding roles to a Service principal

AzureAD Apps & Service Principals

Within Azure AD you have App Registrations. You can do a lot with App Registrations. I mainly use it for automating tasks.


Application or Delegated Permissions?

A big disadvantage is that you cannot always choose Application Permissions with API Permissions. Here you can only choose Delegated Permissions. For example, the Azure Service Management API has Delegated Permissions only.

The difference between Application and Delegated Permissions is that an Application Permissions can read and execute things as itself within the environment.

Delegated Permissions needs a user account to be able to read and execute things. Which also means that you always need a Service account.

Multiple API permissions have only Delegated Permissions as options.


Is there really no other way?

For some API Permissions, yes.
As long as you can configure roles in the Azure Portal.


I need the Service Principal to work as it’s own entity in Azure

As I said above, as long as you can assign roles or permissions in the Azure portal, you can also find the Service Principal in the portal.

I’ll use the Azure Service Management API as an example.

I created a Service Principal called ‘Temp’ with delegated Permissions for Access Azure Service Management as organization users (preview).
I also created a Client Secret.

Write down the:

  • AppID
  • Client Secret
  • Tenant

Now, go to your Azure subscription.

  • Click on Access Control (IAM)
  • Click on Add
  • Select the desired Role
  • Search for the App registration.

As you can see in the screenshot I selected the Reader role and searched for the app registration ‘Temp’. As you can see it will show when you type out the name completely.

Delegated permissions with a Client Secret by adding roles to a Service principal
Delegated permissions with a Client Secret by adding roles to a Service principal

You can now log in with the AppID and Client Secret.


For the PowerShell users among us

Here is a simple script to get a Oauth Token with PowerShell.
Or check out my new module Optimized.Aza for an easier login process and, Oauthtoken & throttling handled for you.

Change the Tenant, client_id and client_secret to the correct string.

$loginURI = "https://login.microsoft.com"
$tenant = 'baswijdenesoutlook.onmicrosoft.com'
$resource = 'https://management.azure.com'
$Body = @{
    grant_type = 'client_credentials'
    client_id = 'XXXXXX-4742-9090-815ccfc4252d'
    client_secret = 'w8sbe2c5~XXXXXXXXXXXXXXXXXX'
    resource = $resource
    scope      = 'openid'
}  
$Token = Invoke-RestMethod -Method Post -Uri $loginURI/$Tenant/oauth2/token?api-version=5.0 -Body $Body -UseBasicParsing

You can now form the authorization:

$global:Access = @{
    Authorization = "$($token.token_type) $($token.access_token)"
}

And as a last example, when you run the below script, $Request.Properties contains the return.

$Request = Invoke-RestMethod -Method Get `
-UseBasicParsing `
-Uri 'https://management.azure.com/subscriptions/81bdb7e0-2010-4c36-ba35-71c560e3b317/resourceGroups/RG-2019/providers/Microsoft.Automation/automationAccounts/AA-2019-01/runbooks/POST-DC-2019-01?api-version=2015-10-31' `
-Headers $global:Access

$Request.properties

Published by

Bas Wijdenes

My name is Bas Wijdenes and I work as a PowerShell DevOps Engineer. In my spare time I write about interesting stuff that I encounter during my work.

Leave a Reply

Your email address will not be published. Required fields are marked *