Roles and Permission required to monitor IoT Central messages

Arty29 146 Reputation points
2020-11-18T15:23:01.807+00:00

Hello,

I am trying to use Azure CLI to monitor messages from the devices registered in an IoT Central application. I have been able to do this if I log in to Azure CLI using my credentials but I would like to log in to Azure CLI using a service principal and when I do this I do not have the correct permissions.

In Active Directory I registered an app and created a client secret for it. I then used the Access Control (IAM) for the Azure subscription to assign the app to the built-in ‘Reader’ role.

I can then log in to Azure CLI using this service principal. 

az login --service-principal -u <app-url> -p <password-or-cert> --tenant <tenant>

However, when I try to monitor IoT Central messages I receive the following error:

The user does not have permission to perform the requested actions: /operating/devices/read Please ensure that the user is logged through the az login command, has the correct tenant set (the users home tenant) and has access to the application through http://apps.azureiotcentral.com

I am not sure where to go from here. I was wondering if perhaps I needed to assign a different role to the service principal but I don’t know what permissions are required to be able to monitor IoT Central device messages.

I would appreciate it if someone could point me in the right direction.

Thank you.

Azure IoT
Azure IoT
A category of Azure services for internet of things devices.
377 questions
Azure IoT Central
Azure IoT Central
An Azure hosted internet of things (IoT) application platform.
342 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. LuisM 426 Reputation points Microsoft Employee
    2020-11-18T21:18:35.397+00:00

    Hi @Arty29 - before you can use the SPN with IoT Central you must assign the SPN a role within IoT Central (the Azure Roles do not apply to IoT Central since it's a SaaS product with different capabilities).

    Today the only way to add an SPN as a 'user' in IoT Central is through the API surface (we plan to add it to the UI in the future). You can see documentation here with examples on how to add the SPN to your app: https://learn.microsoft.com/en-us/rest/api/iotcentral/users/set#add-or-update-a-service-principal-user.

    You can learn about IoT Central roles here: https://learn.microsoft.com/en-us/azure/iot-central/core/howto-manage-users-roles#manage-roles , the role ID you'll need to input as part of the API GET call can be found in the address bar when you navigate inside the Role details.

    Hope that helps! Let us know if that worked for you.

    -Luis

    1 person found this answer helpful.
  2. LuisM 426 Reputation points Microsoft Employee
    2020-11-25T14:40:49.327+00:00

    IoT Central V2 apps are being deprecated in 2021. The good news is that we're working on tooling that we'll be released in early 2021 that will help you move your app from V2 to V3. Stay tuned for that. However, if this is a test app or if you don't want to wait, you can go ahead and create a new IoT Central app instance today (it'll be V3) and then use all of the new IoT Central features like API, SPNs, Custom User Roles, Continuous Data Export V2, etc.