azure-cli possibility of adding service principal owners with the cli

"az ad sp owner add" would be nice to have. we currently add owners as a manual step after the environment build completes. Is there something similar in the CLI package ?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 7d8cb7a6-aa15-0ac3-6197-5dc2164cdbb9
Version Independent ID: 25fda962-c29f-9474-1b12-048d2271a5bc
Content: az ad sp owner
Content Source: src/command_modules/azure-cli-role/azure/cli/command_modules/role/_help.py
Service: active-directory
GitHub Login: @rloutlaw
Microsoft Alias: routlaw

Apr 30 '19 13:04 mariojacobo

It seems this should have been part of microsoftgraph/microsoft-graph-docs#7578, which says it "Graph: support add/remove/list owners on app, sp, and group". The PR did this for app and group, but appears to have forgotten to include code for sp. Looking at the commits in that PR it only removes a comment under "ad sp owner": "# TODO: Add support for 'add' and 'remove'", but doesn't add code to actually add and remove owners from service principals.

May 23 '19 06:05 jurjenoskam

Okay, i will follow up to onboard the support since we have the ask now.

May 28 '19 23:05 yugangw-msft

Any progress on this?

Jul 11 '19 14:07 jonaspetersorensen

The related API is missing in the spec. Before it gets fixed, you can use az rest. A bit more detail is needed from this command; otherwise it is just like other ones:

az rest --method post --uri https://graph.windows.net/<tenantId>/servicePrincipals/<object id of the service principal>/$links/owners?api-version=1.6 --body "{\"url\":\"https://graph.windows.net/<tenantId>/directoryObjects/<owner's object id>\"}"

Jul 15 '19 01:07 yugangw-msft

Yugangw-msft, I don't suppose you know the az rest command to remove a owner??

Sep 05 '19 10:09 miicahjardine

I ran into the same issue of having to add an additional owner to an existing SP.

Unfortunately the API responds with "bad request": Unsupported resource type 'DirectoryObject' for operation 'Create'.

My first suspicion was a permission problem, but I would expect a proper response then. Any ideas?

Sep 17 '19 08:09 kautsig

@yugangw-msft

The related API is missing in the spec. Before it gets fixed, you can use az rest. A bit more detail is needed from this command; otherwise it is just like other ones:
az rest --method post --uri https://graph.windows.net/<tenantId>/servicePrincipals/<object id of the service principal>/$links/owners?api-version=1.6 --body "{\"url\":\"https://graph.windows.net/<tenantId>/directoryObjects/<owner's object id>\"}"

I tried this, but the owners are not added if the call succeeds.

When is the release for the cli ad sp scheduled to be released?

Nov 18 '19 19:11 pgroene

Yugangw-msft, I don't suppose you know the az rest command to remove a owner??

@miicahjardine, I've found the following works to delete owners:

az rest --method=delete --uri=https://graph.windows.net/<tenantId>/servicePrincipals/<object id of the service principal>/$links/owners/<owner object id>?api-version=1.6

Nov 22 '19 18:11 dekimsey

Can we close this issue?

Dec 15 '19 11:12 yonzhan

Is this fixed I tried using "az rest ..." and also got the "Unsupported resource type 'DirectoryObject' for operation 'Create'." error.

Dec 16 '19 22:12 trvsmtchll

for whatever reason i'm getting the Unsupported resource type in powershell...but in cmd.exe it works fine.

pwsh equiv:

az rest --method post --uri https://graph.windows.net/<tenant>/servicePrincipals/<sp id>/$links/owners?api-version=1.6 --body "{\`"url\`":\`"https://graph.windows.net/<tenant>/directoryObjects/<user object id>\`"}"

i think it has something to do with escaping in pwsh, didn't sniff the traffic yet

Jan 10 '20 22:01 drdamour

well crap it' sthe $link which resolves in powershell to nothing...so escape it and it'll work

az rest --method post --uri https://graph.windows.net/<tenant>/servicePrincipals/<sp id>/`$links/owners?api-version=1.6 --body "{\`"url\`":\`"https://graph.windows.net/<tenant>/directoryObjects/<user object id>\`"}"

or

az rest --method post --uri https://graph.windows.net/<tenant>/servicePrincipals/<sp id>/`$links/owners?api-version=1.6 --body '{\"url\":\"https://graph.windows.net/<tenant>/directoryObjects/<user object id>\"}'

Jan 10 '20 22:01 drdamour

@trvsmtchll, could you share the command with sensitive information removed? Also what is the environment?

Jan 14 '20 05:01 jiasli

I cannot reset something where I am not an owner of. So I really need the possibility to add owners to SPN.

Please fix the incomplete CLI.

Mar 13 '20 10:03 naymore

Looking for any updates on how to add a service principal completely with CLI without going to the GUI/Portal at all please.

Mar 13 '20 18:03 trvsmtchll

I cannot reset something where I am not an owner of.

Made worse by the fact that owners must be User objects, so I cannot even set my team's security group here. I have to enumerate and add every individual member.

Mar 13 '20 18:03 dekimsey

As AAD is deprecating AD Graph API, for now you may use az rest to call MS Graph API.

Add owners to an application

MS Graph API: application: Add owner

# bash
appId=93dde3da-9fca-47dd-aee2-409b402ffed3
appObjectId=$(az ad app show --id $appId --query objectId -o tsv)

# Get the object Id for the current user
ownerObjectId=$(az ad signed-in-user show --query objectId -o tsv)

# This applies to both user and service principal as owners
az rest -m POST -u https://graph.microsoft.com/beta/applications/$appObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/directoryObjects/$ownerObjectId\"}"

# To add a user as an owner
az rest -m POST -u https://graph.microsoft.com/beta/applications/$appObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/users/$ownerObjectId\"}"

# To add a service principal as an owner
az rest -m POST -u https://graph.microsoft.com/beta/applications/$appObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/servicePrincipals/$ownerObjectId\"}"

Also see https://github.com/microsoftgraph/microsoft-graph-docs-contrib/issues/8095, https://blogs.aaddevsup.xyz/2018/11/how-to-add-an-owner-to-an-azure-ad-application/

Add owners to a service principal

MS Graph API: servicePrincipal: Add owner

Note that the doc for request body is not accurate at the moment (https://github.com/microsoftgraph/microsoft-graph-docs-contrib/issues/7380).

# bash
appId=93dde3da-9fca-47dd-aee2-409b402ffed3
spObjectId=$(az ad sp show --id $appId --query objectId --output tsv)

# Get the object Id for the current user
ownerObjectId=$(az ad signed-in-user show --query objectId -o tsv)

# This applies to both user and service principal as owners
az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/$spObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/directoryObjects/$ownerObjectId\"}"

# To add a user as an owner
az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/$spObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/users/$ownerObjectId\"}"

# To add a service principal as an owner
az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/$spObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/servicePrincipals/$ownerObjectId\"}"

Mar 25 '20 03:03 jiasli

@dekimsey, MS Graph currently doesn't support group as owner.

$ az rest -m POST -u https://graph.microsoft.com/beta/applications/$appObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/directoryObjects/5a197067-7d4e-4862-a692-cb5933646da1\"}"
Bad Request({
  "error": {
    "code": "Request_BadRequest",
    "message": "The reference target 'Group_5a197067-7d4e-4862-a692-cb5933646da1' of type 'Group' is invalid for the 'owners' reference.",
    "innerError": {
      "request-id": "daf41148-02ab-426a-9dc0-fe07060fe87f",
      "date": "2020-03-25T03:21:30"
    }
  }

I will mark this as service attention. You may vote on these feedback pages:

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/37337278-add-group-as-owner-on-azure-ad-application-and-ser https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/6688284-ad-groups-in-application-owners https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/39240190-app-registration-owners-should-allow-for-groups

Mar 25 '20 03:03 jiasli

@yonzhan why did this get closed? regardless of the adding groups, it still be good to add users without having to use az rest

Mar 28 '20 03:03 drdamour

@drdamour Is it a requirement for CLI or AAD team?

Mar 28 '20 03:03 yonzhan

cli

Mar 28 '20 03:03 drdamour

I will discuss with @jiasli about this and keep this issue reopen.

Mar 28 '20 03:03 yonzhan

This will be implemented after we migrate to MS Graph. Moving to backlog as a feature request. We will track MS Graph issues at https://github.com/Azure/azure-cli/issues/12946

Mar 30 '20 02:03 jiasli

seems like the graph.windows.net solution no longer functions at all, and the MS Graph suggestion requires a TON of permissions that no sane admin would grant...

Jun 16 '20 19:06 drdamour

i stand corrected, the application one is pretty sane ReadWrite.OwnedBy i thought it required write.all

Jun 16 '20 19:06 drdamour

Hi @drdamour, thanks for the supplemental information. Yes, for both application: Add owner and servicePrincipal: Add owner APIs, all you need is Application.ReadWrite.OwnedBy and Directory.Read.All, as given by the document itself:

Permission type	Permissions (from least to most privileged)
Delegated (work or school account)	Application.ReadWrite.All and Directory.Read.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account)	Not supported.
Application	Application.ReadWrite.OwnedBy and Directory.Read.All, Application.ReadWrite.All and Directory.Read.All

Jun 17 '20 02:06 jiasli

More than one year has passed, any news on this? Would be great if this will be implemented in my opinion.

Sep 09 '21 06:09 swisman

Trying to follow the official docs for adding an owner to a service principal (pscore)

az rest `
   --method POST --uri https://graph.microsoft.com/v1.0/servicePrincipals/$($objectId)/owners/\$ref `
   --headers Content-Type=application/json `
   --body '{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/$($userId)\"}'

responds with

ERROR: Bad Request({"error":{"code":"Request_BadRequest","message":"Unsupported resource type 'DirectoryObject' for operation 'Create'.","innerError":{"date":"2021-09-20 .... SNIP

Sep 20 '21 11:09 23min

@23min i've always use User which inherits directoryObjects, agree docs are strange, fwiw u linked the beta docs...but even the 1.0 docs example shows using beta for the post target...so weird

az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/<sp object id>/owners/`$ref --headers Content-Type=application/json -b '{\"@odata.id\": \"https://graph.microsoft.com/beta/users/<user id>\"}'

Sep 21 '21 21:09 drdamour

Hi folks, as for the behavior of Microsoft Graph API, you may reach out to AAD support by creating a support ticket. A support engineer will gladly help you with it.

Sep 22 '21 02:09 jiasli