microsoft
createProxyServiceClient: Updated app role assignment method to recommended approach
Why this PR?
az ad app permission admin-consent is the old way of granting Application Permissions and Delegated Permissions to an app. It requires user intervention for admin consent and will be deprecated in the future. See this github issue on the Azure CLI repo for more information.
About the PR
The az cli does not have a native command to update app roles. There has been a pattern established using the az rest command (see above link). This is the approach taken in this PR for granting app role assignments.
Gotcha
Since the appRoleAssignedTo endpoint returns a HTTP 4xx if the assignment already exists, we need to check and see if this assignment exists before blindly applying in case the user runs the script multiple times. I think outputting an error when the script is successful is not what we want here. To accomplish only assigning if the assignment doesn't exist, I queried the current app role assignments for the proxy enterprise application (again using az rest) and used jq to determine if the assignment exists or not. If it does not, I apply the assignment.
Other Cleanup
Added --skip-assignment to the service principal creation command to stop giving the service principal Contributor rights over the whole subscription.
