Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Add AAD application as a member of a security group

I'm trying to enable service to service auth using AAD tokens. My plan is to validate "groups" claim in the token to make sure the caller is a member of a security group that we created.

For example, we will create group1 for readers and group2 for writers. Then based on "groups" claim, I will figure out the right access level.

I use AAD app to issue the tokens (not a user), so I need that app to be a member of the security group. Azure AD powershell doesn't seem to accept application ids as group members. How to solve this? are there any other recommended patterns when the caller is another AAD app?

Command used: https://docs.microsoft.com/en-us/powershell/module/azuread/Add-AzureADGroupMember?view=azureadps-2.0

Error:  
Add-AzureADGroupMember : Error occurred while executing AddGroupMember
Code: Request_BadRequest
Message: An invalid operation was included in the following modified references: 'members'.
RequestId: 0441a156-3a34-484b-83d7-a7863d14654e
DateTimeStamp: Mon, 11 Dec 2017 21:50:41 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:1 char:1
+ Add-AzureADGroupMember -ObjectId "9c2cdf89-b8d6-4fb9-9116-7749adec85c ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-AzureADGroupMember], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.AddGroupMember
like image 562
George Moussa Avatar asked Dec 11 '17 22:12

George Moussa


People also ask

How do I add a service principal to a security group?

In the Azure portal, navigate to your key vault and select Access policies. Select Add access policy, then select the key, secret, and certificate permissions you want to grant your application. Select the service principal you created previously. Select Add to add the access policy, then Save to commit your changes.

Do security groups sync to Azure AD?

Azure AD Connect excludes built-in security groups from directory synchronization. Azure AD Connect does not support synchronizing Primary Group memberships to Azure AD.


1 Answers

  1. Unfortunately, you cannot add an application as a member of Azure AD group. Though the official document for the Powershell cmdlet Add-AzureADGroupMember doesn't make clear you cannot use Application's ObjectId as the RefObjectId, absolutely you cannot use it. You cannot add an application as a member of Azure AD group neither.

    For example, we will create group1 for readers and group2 for writers. Then based on "groups" claim, I will figure out the right access level.

  2. For your scenario, I'm afraid that you couldn't achieve this for now. I understand why you need this. According to your request, my thought is assigning your application from Enterprise Application to Groups or users and manger users with different access rights. However, you cannot choose more roles for the selected group. The only one role is default access If want to define more roles for the app, you can refer to this documentation. I also tried to use Azure AD RBAC and create new conditional access for my test app,but all don't have read only this choice. You can also put your idea in Azure Feedback Forum, azure team will see it. Also, I will upvote your idea.

Update:


Currently, you can add a service principal to an AAD Group:

Example:

$spn = Get-AzureADServicePrincipal -SearchString "yourSpName"

$group = Get-AzureADGroup -SearchString "yourGroupName"

Add-AzureADGroupMember -ObjectId $($group.ObjectId) -RefObjectId $($spn.ObjectId)

Updated 2:

Recently, I also see lots of users want to assign roles to a service principal to let the service principal have some permissions to access to the app with a role.

I want to make clear here. Role-based authorized should be used for users, NOT applications. And it's not designed for applications. If you want to give some different permissions you may consider to assign application permissions to your service principal instead.

You can expose your Web App/API with application permissions by editing the Manifest in app registrations.

You can go to Azure portal > Azure Active Directory > App registrations > Select your App > Manifest.

In appRoles, you can insert content like this:

  {
      "allowedMemberTypes": [
        "Application"
      ],
      "displayName": "Access to the settings data",
      "id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
      "isEnabled": true,
      "description": "Administrators can access to the settings data in their tenant",
      "value": "Settingsdata.ReadWrite.All"
    },

Then, you can go another app registration you want to give permission > Settings > require permissions > Add > Search the application name you want to access > Choose the application permission you created before.

Therefore, your sp can obtain a token with that application permissions in token claims.

Also, for authorization from the resource, you need to add code logic to give control policy for that token with Settingsdata.ReadWrite.All claim.


Update 3

Currently, you can add the service principal to one AAD Group directly in Azure portal: enter image description here

like image 76
Wayne Yang Avatar answered Oct 13 '22 16:10

Wayne Yang