How to create service account ( Service Principal ) with the following policy.

PRAKASHK-0541 0 Reputation points
2023-11-24T03:59:46.8333333+00:00

Hi, I have to create a service account ( service principal ) to allow third-party application with the below policy they have requested.

so far I know, I can provide access at specific resource level or resource group level I use to give permission for example, storage account, I go to a storage account directly and give contributor access. but this below permission to be common which cover multiple permissions multiple resources types.

so is there a command line I can achieve this?

The service account uses to scan Azure images must have at least the following policy:

Microsoft.Compute/locations/publishers/artifacttypes/offers/skus/versions/read

Microsoft.Compute/images/read

Microsoft.Compute/galleries/read

Microsoft.Compute/galleries/images/read

Microsoft.Compute/galleries/images/versions/read

Microsoft.Resources/subscriptions/resourceGroups/read

Microsoft.Resources/subscriptions/resourceGroups/write

Microsoft.Resources/subscriptions/resourceGroups/delete

Microsoft.Network/networkSecurityGroups/read

Microsoft.Network/networkSecurityGroups/write

Microsoft.Network/networkSecurityGroups/join/action

Microsoft.Network/networkSecurityGroups/delete

Microsoft.Network/networkInterfaces/read

Microsoft.Network/networkInterfaces/write

Microsoft.Network/networkInterfaces/join/action

Microsoft.Network/networkInterfaces/delete

Microsoft.Compute/disks/write

Microsoft.Compute/disks/delete

Microsoft.Network/virtualNetworks/subnets/read

Microsoft.Network/virtualNetworks/subnets/join/action

Microsoft.Compute/virtualMachines/read

Microsoft.Compute/virtualMachines/write

Microsoft.Compute/virtualMachines/start/action

Microsoft.Compute/virtualMachines/delete

Microsoft.KeyVault/vaults/keys/read

Microsoft.KeyVault/vaults/keys/wrap/action

Microsoft.KeyVault/vaults/keys/unwrap/action

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,552 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Carlos Solís Salazar 17,786 Reputation points MVP
    2023-11-27T17:38:12.2766667+00:00

    Here are the high-level steps:

    1. Create a Custom Role: Define a custom role in Azure that includes all the specified permissions. You can do this by creating a JSON file with the definition of the role, including all the required actions.
    2. Assign the Custom Role to the Service Principal: Assign the newly created custom role to your service principal for the appropriate scope (like a subscription or resource group).

    Here's an example of how you could do this using Azure CLI:

    1. Create a JSON file for the custom role definition with all the specified permissions.
    2. Create the custom role:
    az role definition create --role-definition /path/to/your/custom-role.json
    
    1. Create a service principal:
    az ad sp create-for-rbac --name "<your-service-principal-name>"
    
    1. Assign the custom role to the service principal:
    az role assignment create --assignee "<service-principal-app-id>" --role "<custom-role-name>" --scope "<scope>"
    

    Replace <your-service-principal-name>, <service-principal-app-id>, <custom-role-name>, and <scope> with your actual values. The scope could be a subscription, a resource group, or a specific resource, depending on your requirements

    Hope this helps!

    0 comments No comments