Share via

How to add Azure AD App as contributor to a subscription using Azure API/SDK?

Nivethitha Dhamodhara Kannan 10 Reputation points Microsoft Employee
2023-08-14T15:23:10.5633333+00:00 
There is a management api to add role assignments to the subscription, but it's not allowing the Azure AD APP to be added as contributor to the sub, as it says the principal type "App" is not supported.

https://management.azure.com/subscriptions/b9bcd91a-e2be-484a-ae19-39183528792a/providers/Microsoft.Authorization/roleAssignments/b24988ac-6180-42a0-ab88-20f7382dd24c?api-version=2022-04-01

b24988ac-6180-42a0-ab88-20f7382dd24c - is the contributor role.

payload 
{
  "properties": {
    "roleDefinitionId": "/subscriptions/b9bcd91a-e2be-484a-ae19-39183528792a/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "principalId": "83c3f106-c212-409c-8275-3c399158786c",
    "principalType": "ServicePrincipal"
  }
}
Azure Role-based access control
Azure Role-based access control

An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,541 Reputation points Moderator
    2023-09-12T20:41:05.1066667+00:00

    Hello @Nivethitha Dhamodhara Kannan , the PrincipalTypeNotSupported error encountered during the creation of a role assigment is caused by passing the Azure AD app registration (or just "application") object id as the principal id. Pass the Azure AD service principal object id instead to fix it. For more information about both models and how do they relate take a look to Application and service principal objects in Azure Active Directory.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

  2. Sedat SALMAN 14,285 Reputation points MVP Volunteer Moderator
    2023-08-14T20:22:23.24+00:00

    First, find your Azure AD App's Service Principal ID.

    Use the Service Principal ID for the principalId field, and set principalType as "ServicePrincipal".

    {   
	"properties": {     
		"roleDefinitionId": "/subscriptions/YOUR_SUBSCRIPTION_ID/providers/Microsoft.Authorization/roleDefinitions/CONTRIBUTOR_ROLE_ID",     
		"principalId": "YOUR_SERVICE_PRINCIPAL_ID",     
		"principalType": "ServicePrincipal"   
	} 
}

    Use the Azure REST API endpoint you have (or Azure SDK) to assign the role.

    this is the step-by-step approach to add an Azure AD App as a contributor to a subscription:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.