相关文章推荐
力能扛鼎的咖啡  ·  How to hide/disable ...·  8 月前    · 
大方的铁板烧  ·  jQuery同步Ajax带来的UI线程阻塞问 ...·  10 月前    · 
玩命的豌豆  ·  SQL为什么不建议使用not in子查询 ...·  10 月前    · 
逃跑的灭火器  ·  容器环境与可插拔设备(一)---udev - 知乎·  1 年前    · 
沉稳的脆皮肠  ·  使用MyBatis拦截器实现sql查询权限动 ...·  1 年前    · 
Code  ›  Adding write permission for creating Resource Groups to an Azure Active Directory Application - Stack Overflow
https://stackoverflow.com/questions/37688395/adding-write-permission-for-creating-resource-groups-to-an-azure-active-director
暴走的苹果
1 年前
Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

Adding write permission for creating Resource Groups to an Azure Active Directory Application

Ask Question

I have a C# application that will create Resource Groups. I'm using the ResourceManagementClient to create the resource group (which I assume is just a wrapper for their REST API). I'm using an Azure AD application's Client ID and Client Secret to authenticate.

I'm getting this error:

{"The client 'xxxx' with object id 'xxxx' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/xxxx/resourcegroups/test-resource-group'."}

Is there a way I can give this permission at the subscription level to an Azure AD application?

  • Register application in Azure AD (sounds like you've already done this)
  • Create corresponding service principal for your application (this may or may not have been done automatically when you registered the application - it depends on the method you used for registration)
  • Assign the service principal RBAC access to the subscription(s).

    • The steps are described in detail here .

    I believe you'll need to assign your service principal the Contributor role to enable resource group creation.

    You're right I've figured it out before you actually replied. You need to add the application on the subscription level as a contributor (via the new portal). I was hoping for a more granular role for the application but it solves my problem for now. Yodacheese Jun 7, 2016 at 21:55 azure is the most f'ed up service. if you go to the page with details, the screenshots are no longer all correct. the ui has changed. thang Oct 24, 2017 at 17:25

    You can also use the Azure CLI, which allows you to automate the task of creating a service principal. I did the following (from here ):

  • Install for your platform
  • run az login to log into Azure w/your intended account
  • run az ad sp create-for-rbac to create an Azure Active Directory Application with access to Azure Resource Manager for the current Azure Subscription
  • You can fetch the subscription ID in which the Service Principal was created using: az account list --query "[?isDefault].id" -o tsv

    • I wrote this code in a gist for macOS here

    Thanks for contributing an answer to Stack Overflow!

    • Please be sure to answer the question . Provide details and share your research!

    But avoid

    • Asking for help, clarification, or responding to other answers.
    • Making statements based on opinion; back them up with references or personal experience.

    To learn more, see our tips on writing great answers .

     
    推荐文章
    力能扛鼎的咖啡  ·  How to hide/disable buttons controls in videojs?_javascript_Vue小助理-Vue
    8 月前
    大方的铁板烧  ·  jQuery同步Ajax带来的UI线程阻塞问题 - Evaxtt - 博客园
    10 月前
    玩命的豌豆  ·  SQL为什么不建议使用not in子查询 - 墨天轮
    10 月前
    逃跑的灭火器  ·  容器环境与可插拔设备(一)---udev - 知乎
    1 年前
    沉稳的脆皮肠  ·  使用MyBatis拦截器实现sql查询权限动态修改代码实例_java_脚本之家
    1 年前
    今天看啥   ·   Py中国   ·   codingpro   ·   藏经阁   ·   小百科   ·   link之家   ·   卧龙AI搜索
    删除内容请联系邮箱 2879853325@qq.com
    Code - 代码工具平台
    © 2024 ~ 沪ICP备11025650号