I want to create an Azure DevOps pipeline that creates role assignments to Groups, Resources and AD.
In the script that is executed by the pipeline I try to run the following command:
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'AzureResources' -ResourceId "$resourceID" -RoleDefinitionId "$roleId" -SubjectId "$userId" -AssignmentState "$AssignmentType" -Schedule $schedule -Reason "Test PIM Automation"
All the properties are correct but I still get the following error.
##[error]Error occurred while executing OpenAzureADMSPrivilegedRoleAssignmentRequest
Code: UnauthorizedAccessException
Message: Attempted to perform an unauthorized operation.
InnerError:
RequestId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX
DateTimeStamp: Tue, 12 Mar 2024 07:42:00 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
The service connection that the pipeline uses has Owner role in the Subscription that the resource exists
I want to execute this also for ProviderId = 'aadGroups'. Please tell me what kind of access should I have.
Update (4/4/2024):
The AzureADPreview module does not support execution in Azure DevOps pipelines. If I have any update in this, I will also update it here.
If your user account has the Owner role in an Azure subscription:
When you manually create a service principal in an AAD (Microsoft Entra ID), the service principal would not inherit the full permissions form your account. On same resources within the subscription, it might just have the Contributor role.
When you create an ARM service connection (Azure Resource Manager service connection) with the '
automatic' option, it will automatically create a service principal for your user account. This service principal would just have the Contributor role on most resources by default, and also might not have access on some resources (such as Azure Key Vault) by default.Only the Owner role has the permissions to do role assignment. So, you need to check and ensure the service principal has the Owner role within the subscription.
Similarly, if you want to use the service principal to do role assignment on AAD (Microsoft Entra ID) level, it needs the Privileged Role Administrator or Global Administrator role in the AAD.
EDIT:
Assigning AAD level roles is not available when using the ARM service connection, since its scope is only on Subscription or Management Group rather than AAD.
In pipeline, you need to use the '
az login' command to log in the AAD with the service principal.EDIT_2:
To Connecting an Azure AD with Service Principal in PowerShell, you can reference "Using a Service Principal to connect to a directory in PowerShell".
To Assign AAD roles to groups in PowerShell, you can reference "Assign Microsoft Entra roles to groups".