1

Further to: API Permission Issue while Azure App Registration

and Why is "Application permissions" disabled in Azure AD's "Request API permissions"?

I cannot activate the Application Permissions button in the API permissions when I am trying to register an application in Active Directory. I have created the roles (several times) and ensured all of the properties are correct as described in both posts and in https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-registration - including that it the role is set for application, . I am using the default directory of my Azure account. I am the only member in my directory and am a member of global administrators.

Is there something else I am missing?

My end goal is simply to use the .Net SDK to manage the firewall on an application service using a client secret that can be distributed with an application.

enter image description here

Here is the manifest

enter image description here

statler
  • 1,322
  • 2
  • 15
  • 24
  • This is a cloud provider 101 thing so many people need to do, but it's not obvious how to do it. A huge 0/10 for the UX team at azure. – A.com Aug 03 '21 at 01:42

2 Answers2

1

Okay, so you want an app registration to manage an App Service through Azure Resource Management API as itself with client credentials flow? In that case you don't need to assign any application permissions to your app. You need to create the app, and then go to e.g. the App Service resource's Access Control (IAM) tab, and add the needed role to your app there.

The reason that the app permissions tab there is grey is because the Azure Service Management app registration (which you can't edit) does not define any app permissions. When you define an app permission in the manifest, that becomes a permission that other applications could use to call your API, not Azure Resource Management API.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • No, I am not managing an app service. I need this app registration to have API permissions for the Azure Service Management apis. This said, you made me wonder if it just isnt possible to get this permission level, and I came across the following which suggests not. https://stackoverflow.com/questions/26003820/azure-service-management-api-authentication-using-azure-active-directory-oauth - so not an answer, but defs an upvote :) – statler Jun 15 '21 at 10:16
  • That's a really old answer that is for the old API. Back then you had to create a certificate that would then get subscription admin rights, there was no other choices. Now in the ARM model you can assign roles to apps at subscription/resource group/resource level so they get just the access they need. – juunas Jun 15 '21 at 10:22
  • On re-reading your answer, I am marking it as the solution because it is pretty much bang on - just with an sql server. It is a pity the documentation for the sdk is so damned poor. – statler Jun 15 '21 at 10:24
  • 1
    In my case, as described by @juunas I needed to go to the SQL server and provide a role assignment between the application name and the Security role. All the other guff referred to in the referenced posts is irrelevant. This is annoying because I have done something similar literally hundreds of times, but did not understand the relationship between a service principal and a registered application. Turns out they are essentially the same thing in a single tennant application – statler Jun 15 '21 at 10:26
1

Is there something else I am missing?

The reason Applications Permissions is greyed out for you is because Azure Service Management API only allows Delegated Permissions i.e. this API will be always be executed in context of the signed-in user. In other words, a user (even if it is a Service Principal) must always be present when executing this API.

You mentioned that you wanted to execute Service Management API using a client secret. For that there are two things you would need to do:

  1. As mentioned by @junnas, you will need to assign your application (which is a Service Principal) a proper Azure RBAC role on an Azure Subscription. Please see this link for more details: https://learn.microsoft.com/en-us/azure/role-based-access-control/overview.

  2. You will need to acquire token for this Service Principal using client id and client secret. You can use ClientSecretCredential for that purpose.

Gaurav Mantri
  • 128,066
  • 12
  • 206
  • 241
  • 1
    Thanks Guarav - as per my comments, I did come to that conclusion just before :) I also figured it out from Juuravs answer. Thank you for your answer, it is correct just not first. Have an upvote. – statler Jun 15 '21 at 10:28