1

I am trying to provision a user in Azure Active Directory using Terraform's AzureAD provider. At the top of the azuread_user documentation, it states:

NOTE: If you're authenticating using a Service Principal then it must have permissions to Directory.ReadWrite.All within the Windows Azure Active Directory API.

I have created the Azure Active Directory User using the az command line:

az ad sp create-for-rbac --role="Owner" --scopes=$SubscriptionUrl --name $PrincipalName

However, this doesn't have Directory.ReadWrite.All permissions, as that would be a fairly insane security risk.

How can I add the Directory.* permissions to the Service Principal using the az command line (by preference) or even the Azure Powershell Cmdlets, I would even be willing to craft a WebRequest if that would help me solve the problem!

Richard Slater
  • 11,747
  • 7
  • 43
  • 82

1 Answers1

2

What you need here are the az ad app permission commands.

Here is a complete example (assuming powershell):

$apiId = "00000002-0000-0000-c000-000000000000" # Windows Azure Active Directory 
$apiPermissionsId = "78c8a3c8-a07e-4b9e-af1b-b5ccab50a175" # Directory.ReadWrite.All
$spn = az ad sp create-for-rbac --role="Owner" --name blah | ConvertFrom-Json 
az ad app permission add --id $spn.appId --api $apiId --api-permissions ("{0}=Scope" -f $apiPermissionsId)
az ad app permission grant --id $spn.appId --api $apiId
az ad app permission admin-consent --id $spn.appId

For reference, Microsoft has a list of the GUIDs used for various applications.

On some occasions I have been unable to find documentation for the magic GUIDs required for a particular app/permission, in which case I would resort to adding them through the portal manually (Azure Active Directory ➔ App Registrations ➔ Required Permissions) and then reading the JSON manifest back to reveal the required GUIDs which can then be plugged into automation.

Richard Slater
  • 11,747
  • 7
  • 43
  • 82
Douglas Brand-Williamson
  • 21
  • 2