Share via

Give service princple permission to create other service principles , etc

AFadli 0 Reputation points
2024-01-23T17:07:25.7366667+00:00

I have this service principle and wanted to do couple things:

  1. create other service principles
  2. create app registration
  3. assign created sp to vaults as secret readers.

I created the following custom rbac and, at least, it creates new sp. However, I need to tighten down the permission as I don't want the sp to have a loose permissions.

the following are the permissions the role is having: |microsoft.directory/applications/allProperties/read||Read all properties (including privileged properties) on all types of applications| | -------- | -------- | -------- | |microsoft.directory/applications/allProperties/update|PRIVILEGED|Update all properties (including privileged properties) on all types of applications| |microsoft.directory/applications/create||Create all types of applications| |microsoft.directory/applications/createAsOwner||Create all types of applications, and creator is added as the first owner| |microsoft.directory/servicePrincipals/allProperties/update|PRIVILEGED|Update all properties (including privileged properties) on servicePrincipals| |microsoft.directory/servicePrincipals/appRoleAssignedTo/read||Read service principal role assignments| |microsoft.directory/servicePrincipals/appRoleAssignments/read||Read role assignments assigned to service principals| |microsoft.directory/servicePrincipals/create||Create service principals| |microsoft.directory/servicePrincipals/createAsOwner|

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
901 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,732 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dillon Silzer 57,686 Reputation points
    2024-01-24T00:46:29.96+00:00

    Hello,

    A very similar question was asked here:

    Can a service principal create other service principals in Azure? (answer by scottwtang)

    https://stackoverflow.com/questions/73215643/can-a-service-principal-create-other-service-principals-in-azure#:~:text=There%20is%20no%20way%20to,your%20home%20directory%20or%20tenant.

    A service principal can create another service principal after being assigned either the corresponding MS Graph permission, or Azure AD role

    MS Graph Permissions

    Either of the permissions:

    Application.ReadWrite.All

    Application.ReadWrite.OwnedBy

    Azure AD Role

    Any role with one of these permissions:

    microsoft.directory/applications/create

    microsoft.directory/applications/createAsOwner

    microsoft.directory/applications/allProperties/allTasks

    Built-in roles

    • Application Administrator
    • Application Developer
    • Cloud Application Administrator
    • Global Administrator
    • Hybrid Identity Administrator

    If this is helpful please accept answer.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.