You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is possible that some organizations have locked down their Azure Active Directory for users who are not Account Owners - which means that even if you are an Owner on a Subscription or Tenant, you might not be able to modify Azure AD.
The Getting Started Documentation denotes using an App Service Principal in order to accomplish Authentication and Application Identity resolution, which is not possible in the aforementioned scenario.
Workaround:
The workaround for this is to utilize an external Identity Provider (Google, Github, etc.) for authentication and the Azure Manage Identity for the IAM Roles.
Getting Started Substitution Steps:
Enable App Service Authentication
In the Azure Portal, open the Function blade then select the Authentication menu and enable App Service authentication. Click on the Add identity provider button to display the screen for adding a new identity provider.
Select an external Identity Provider (i.e. GitHub or Google). Follow the respective steps for your identity provider shown here to finish setting it up.
Add access control (IAM) to the target (resources)
Note: A big difference here is that you should assign lowest permissions available to the ACME Bot application - in this case it is directly on the resources being managed, and not on Resource Groups as shown in the Getting Started Docs.
Assign the following roles on their respective Resources - you should be able to select the ACME Bot's Function App Managed Identity as opposed to the Service Principal that was omitted in Step 3:
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Issue Statement:
It is possible that some organizations have locked down their Azure Active Directory for users who are not Account Owners - which means that even if you are an Owner on a Subscription or Tenant, you might not be able to modify Azure AD.
The Getting Started Documentation denotes using an App Service Principal in order to accomplish Authentication and Application Identity resolution, which is not possible in the aforementioned scenario.
Workaround:
The workaround for this is to utilize an external Identity Provider (Google, Github, etc.) for authentication and the Azure Manage Identity for the IAM Roles.
Getting Started Substitution Steps:
Authentication
menu and enable App Service authentication. Click on theAdd identity provider
button to display the screen for adding a new identity provider.DNS Zone Contributor
Contributor
Contributor
Beta Was this translation helpful? Give feedback.
All reactions