3

I'm trying to call above API provider via REST with the following URL: https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings with api-version=2017-04-01-preview

However, even though the Service Principal I am using is a member of the "Global Administrator" role in my AAD tenant I am getting a does not have authorization to perform action error.

This endpoint doesn't seem to be documented though. Anybody know what is required to call this API endpoint with a service principal?

Thanks, David

Improve this question
5
  • what the api reference doc are you looking at? If you want to use the api to do operations on azure resource, you need to add your service principal as a role under the Access control (IAM) of your subscription or the specific resource. Commented Dec 7, 2018 at 9:06
  • david, i think you need azure level permissions, global admins in azure ad are not necessary global admins in azure Commented Dec 7, 2018 at 17:08
  • That service principal is already a Contributor on the subscription as well. I mentioned it below, but I think that namespace is part of AAD, and not Azure RM, but I can't find a role in AAD (nor in Azure RM) which has permissions over this scope. Commented Dec 7, 2018 at 20:38
  • did you get anywhere with this, mate? Commented Jan 5, 2019 at 17:14
  • kinda, sorta... david-obrien.net/2018/12/azure-ad-api-logs-flaws Commented Jan 8, 2019 at 23:55

2 Answers 2

Reset to default
1

Try to add a custom role with the action of microsoft.aadiam/diagnosticsettings/write in your AD App.

According to doc, you can use the custom role to do the operation.

This article lists the operations available for each Azure Resource Manager resource provider. These operations can be used in custom roles to provide granular role-based access control (RBAC) to resources in Azure.

For more details to create the custom role, refer to this link.

Sample:

{
  "Name":  "Test Operator",
  "Id":  "88888888-8888-8888-8888-888888888888",
  "IsCustom":  true,
  "Description":  "xxxxxx",
  "Actions":  [
                  microsoft.aadiam/diagnosticsettings/write,
                  microsoft.aadiam/diagnosticsettings/read
  ],
  "NotActions":  [

                 ],
  "DataActions":  [

                  ],
  "NotDataActions":  [

                     ],
  "AssignableScopes":  [
                           "/subscriptions/{subscriptionId1}",
                           "/subscriptions/{subscriptionId2}",
                           "/subscriptions/{subscriptionId3}"
                       ]
}

Update:

You can use a user account with global admin role, refer to the steps below.

1.Navigate to Azure Active Directory -> Diagnostic settings -> Add diagnostic setting -> set the properties and open the Developer Tools(F12) ->Save.

2.In the request we caught, copy the Bearer token.

enter image description here

3.Then we can test the api in the postman.

Request URL:

Put https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{name}?api-version=2017-04-01-preview

Request Header:

enter image description here

Request Body:

{
  "properties": {
    "logs": [
      {
        "category": "AuditLogs",
        "enabled": true,
        "retentionPolicy": {
          "days": 0,
          "enabled": false
        }
      },
      {
        "category": "SignInLogs",
        "enabled": true,
        "retentionPolicy": {
          "days": 0,
          "enabled": false
        }
      }
    ],
    "metrics": [],
    "storageAccountId": "/subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/xxx"
  }
}

It works on my side.

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I had already tried that, however, I believe microsoft.aadiam is not part of the subscription but the tenant, and custom roles are not created in the tenant context, but rather start at the subscription level.
@DavidO'Brien Could you try to call the api with a user account with the global admin permission?
how? How do I retrieve an API bearer token for an AAD user and not a service principal or application? I can only find documentation on how to do it in the context of an application. learn.microsoft.com/en-us/graph/auth-overview
@DavidO'Brien Hi, David, I updated my reply, you could refer to it. Also, I believe you have seen another post answered by Tom Sun, he may will give an answer about getting the token with code later, you could refer to that.
0

I test it with global administrator user, it works correctly for me.

The following is the detail steps:

  1. Create an native azure AD application and grant permission for it.

enter image description here

2.create an global administrator user, please also change the default password.

enter image description here

Note: the user format should be [email protected], or you can't use the password way to get the token based on my test

3.Assign the owner role to the subscription

enter image description here

4.Then we could use the following way to get the access token

Post  https://login.windows.net/<tenant-id>/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=password
&resource={resource}
&username={username}
&password={password}
&client_id={client-id}

enter image description here

4.Try to operate the diagnosticSettings

put https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{name}?api-version=2017-04-01-preview

{"properties":{"logs":[{"category":"AuditLogs","enabled":true,"retentionPolicy":{"days":0,"enabled":false}},{"category":"SignInLogs","enabled":false,"retentionPolicy":{"days":0,"enabled":false}}],"metrics":[],"storageAccountId":"/subscriptions/{subscriptionId}/resourceGroups/{groupname}/providers/Microsoft.Storage/storageAccounts/{accountName}"}}

enter image description here

Improve this answer

3 Comments

thanks, I'll give that a go later on. Essentially what you are doing is "binding" the user's token to an AAD app's permission, correct?
A client application gains access to a resource server by declaring permission requests. Two types are available: application and Delegated permission. In this case, there is no application permission, it seems that only just support delegated permission.
Delegated permission which specify scope-based access using delegated authorization from the signed-in resource owner, are presented to the resource at run-time as "scp" claims in the client's access token. For more information, please refer to this link.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.