General approach is that you need to get RoleID and then assign enterprise app object ID to this RoleID:
Create an app using CLI:
$app_name = "Deployment app"
$app = az ad app create --display-name $app_name --query '{appId: appId, objectId: id}' --output json
$app = $app | ConvertFrom-Json
$cred = az ad app credential reset --id $app.appId --display-name "client-secret" --years 2
$enapp = az ad sp create --id $app.appId --query '{appId: appId, objectId: objectId}' --output json
$enappID = az ad sp show --id $app.appId --query id --output tsv
Assign it to a role:
$AdminRoleObject = Get-AzureADDirectoryRole| where {$_.DisplayName -eq 'Application Administrator'}
Add-AzureADDirectoryRoleMember -ObjectId $AdminRoleObject.ObjectId -RefObjectId $enappID
If RoleID do not exist ($AdminRoleObject is empty) enable it:
$template = Get-AzureADDirectoryRoleTemplate | where {$_.DisplayName -eq 'Privileged Role Administrator'}
Enable-AzureADDirectoryRole -RoleTemplateId $template.ObjectId
Other, assign owner to subscription:
az role assignment create --assignee $app.appId --role "Owner" --scope "/subscriptions/$subscriptionID"
No comments:
Post a Comment