How to create a managed identity for an application, that has global reader permissions to all Azure subscriptions?

Mor Paz 0 Reputation points
2024-03-31T14:26:44.95+00:00

Hi,

We have customers that we want to deploy our application in their Azure accounts.

We need to be able to access multiple Azure subscriptions using a single identity, in order to create a simple installation experience.

Our application will need access to those subscriptions to read resources and get information about Azure objects (Azure resource groups, AKS, VMs, container apps, etc.)

How can we achieve this? we were looking for a way to create a single app registration in Microsoft Entra ID that has permissions to all subscriptions within the Azure account, but have not been able to find a solution.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,633 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Babafemi Bulugbe 3,375 Reputation points MVP
    2024-03-31T14:52:07.83+00:00

    Hello Mor Paz,

    Thank you for posting on the Microsoft Q&A Community.

    From your explanation, I understand that you want to create a service principal (an application registration) and assign reader permission to the application on all the subscriptions within your organization.

    There are different ways to achieve this:

    The first way is to create a management group in the portal and add all the subscriptions to this management group. Follow the link below to create a management group.

    https://learn.microsoft.com/en-us/azure/governance/management-groups/create-management-group-portalOnce that is done, you can add the subscriptions to the management group and then assign the Reader role to the application on the management group. This will give the service principal read permission on all the subscriptions and the resources within them. Kindly follow this link to see the steps to achieve that

    https://learn.microsoft.com/en-us/azure/defender-for-cloud/management-groups-roles

    Alternatively, you can assign permission on the root management group if you do not want to create a new management group.

    User's image

    Secondly, you can add the service principal permission to the subscriptions one after the other.

    NB: i have assumed that you have created your application registration. Use the application id or the application name to search for the application while trying to assign a role.

    Also, please note that a Service principal is different from a managed identity. Get more information by following the link https://devblogs.microsoft.com/devops/demystifying-service-principals-managed-identities/

    Let me know if further assistance is needed.

    Babafemi

    0 comments No comments