question

Arty29-6490 avatar image
0 Votes"
Arty29-6490 asked AshokPeddakotla-MSFT commented

Roles and Permission required to monitor IoT Central messages

Hello,

I am trying to use Azure CLI to monitor messages from the devices registered in an IoT Central application. I have been able to do this if I log in to Azure CLI using my credentials but I would like to log in to Azure CLI using a service principal and when I do this I do not have the correct permissions.

In Active Directory I registered an app and created a client secret for it. I then used the Access Control (IAM) for the Azure subscription to assign the app to the built-in ‘Reader’ role.

I can then log in to Azure CLI using this service principal.

 az login --service-principal -u <app-url> -p <password-or-cert> --tenant <tenant>

However, when I try to monitor IoT Central messages I receive the following error:

The user does not have permission to perform the requested actions: /operating/devices/read Please ensure that the user is logged through the az login command, has the correct tenant set (the users home tenant) and has access to the application through http://apps.azureiotcentral.com

I am not sure where to go from here. I was wondering if perhaps I needed to assign a different role to the service principal but I don’t know what permissions are required to be able to monitor IoT Central device messages.

I would appreciate it if someone could point me in the right direction.

Thank you.


azure-iot-centralazure-iot
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

lmasieri avatar image
1 Vote"
lmasieri answered AshokPeddakotla-MSFT converted comment to answer

Hi @Arty29-6490 - before you can use the SPN with IoT Central you must assign the SPN a role within IoT Central (the Azure Roles do not apply to IoT Central since it's a SaaS product with different capabilities).

Today the only way to add an SPN as a 'user' in IoT Central is through the API surface (we plan to add it to the UI in the future). You can see documentation here with examples on how to add the SPN to your app: https://docs.microsoft.com/en-us/rest/api/iotcentral/users/set#add-or-update-a-service-principal-user.

You can learn about IoT Central roles here: https://docs.microsoft.com/en-us/azure/iot-central/core/howto-manage-users-roles#manage-roles , the role ID you'll need to input as part of the API GET call can be found in the address bar when you navigate inside the Role details.

Hope that helps! Let us know if that worked for you.

-Luis

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @lmasieri - thank you for your advice and information. I had a feeling that there was something different about IoT Central.

I have been trying to use Postman with the Azure REST API but I'm getting 401 Unauthorized errors. In order to see if I had everything set up correctly I tried to list the users in the IoT Central instance using (with the appropriate subdomain etc):

 GET https://{subdomain}.{centralDnsSuffixInPath}/api/preview/users

When that didn't work I tried requesting the resource groups of my subscription, and that was successful.

 GET https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups

In both cases I was using the same bearer token which is obtained through another service principal that I created on my AD tenant, and to which I assigned the built-in Contributor role for my Azure subscription.

Is there something I need to know about the Service Principal required to manage IoT Central through the REST API?

Thank you.



0 Votes 0 ·

Correct, the SPNs won't work against IoT Central until you add the SPN as a user to the app (directly with the IoT Central API, not via the Azure portal). You can try calling the IoT Central API with an IoT Central token: https://docs.microsoft.com/en-us/learn/modules/manage-iot-central-apps-with-rest-api/2-authorize-api

Once you try the token, please try adding the SPN to your app with the links I provided in my previous post. Then you should be able to call the API using your SPN.

Thanks,
Luis

0 Votes 0 ·

Thanks @lmasieri - I think I have a better understanding now.

Using Azure CLI I requested a bearer token:

 az account get-access-token --resource https://apps.azureiotcentral.com

Using that token I tried again to list the users in my IoT Central app and this time I received an 'InvalidRequest' error indicating that this API cannot be called for my application which is V2, and to use the API with a V3 application. So, I think I may have solved my authorization problem but now have an even bigger issue to contend with. I'm not even sure how I can confirm that my IoT Central application is V2 as I can't find anything in the properties or even inside the identifiers that would reveal the version number.

Can you suggest some way for me to proceed from here?

Again, thank you for your assistance.

0 Votes 0 ·
Show more comments
lmasieri avatar image
0 Votes"
lmasieri answered AshokPeddakotla-MSFT commented

IoT Central V2 apps are being deprecated in 2021. The good news is that we're working on tooling that we'll be released in early 2021 that will help you move your app from V2 to V3. Stay tuned for that. However, if this is a test app or if you don't want to wait, you can go ahead and create a new IoT Central app instance today (it'll be V3) and then use all of the new IoT Central features like API, SPNs, Custom User Roles, Continuous Data Export V2, etc.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@lmasieri - Ok, thanks for letting me know. It's not a test app so I will need to wait. If I were to migrate it to a V3 app it would have to go smoothly! I'll keep my eyes open for news on the migration tooling.
I really appreciate all your assistance.

0 Votes 0 ·

@Arty29-6490 If above suggestions answers your query, please "Accept answer" or "Up-Vote" for the same which might be beneficial to other community members reading this thread.

0 Votes 0 ·