possibility of adding service principal owners with the cli

[mariojacobo]

"az ad sp owner add" would be nice to have. we currently add owners as a manual step after the environment build completes. Is there something similar in the CLI package ?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 7d8cb7a6-aa15-0ac3-6197-5dc2164cdbb9
• Version Independent ID: 25fda962-c29f-9474-1b12-048d2271a5bc
• Content: az ad sp owner
• Content Source: src/command_modules/azure-cli-role/azure/cli/command_modules/role/_help.py
• Service: active-directory
• GitHub Login: @rloutlaw
• Microsoft Alias: routlaw

[jurjenoskam]

It seems this should have been part of microsoftgraph/microsoft-graph-docs#7578, which says it "Graph: support add/remove/list owners on app, sp, and group". The PR did this for app and group, but appears to have forgotten to include code for sp. Looking at the commits in that PR it only removes a comment under "ad sp owner": "# TODO: Add support for 'add' and 'remove'", but doesn't add code to actually add and remove owners from service principals.

[yugangw-msft]

Okay, i will follow up to onboard the support since we have the ask now.

[jonaspetersorensen]

Any progress on this?

[yugangw-msft]

The related API is missing in the spec. Before it gets fixed, you can use az rest. A bit more detail is needed from this command; otherwise it is just like other ones:

az rest --method post --uri https://graph.windows.net/<tenantId>/servicePrincipals/<object id of the service principal>/$links/owners?api-version=1.6 --body "{\"url\":\"https://graph.windows.net/<tenantId>/directoryObjects/<owner's object id>\"}"

[miicahjardine]

Yugangw-msft, I don't suppose you know the az rest command to remove a owner??

[kautsig]

I ran into the same issue of having to add an additional owner to an existing SP.

Unfortunately the API responds with "bad request":
Unsupported resource type 'DirectoryObject' for operation 'Create'.

My first suspicion was a permission problem, but I would expect a proper response then. Any ideas?

[pgroene]

@yugangw-msft

The related API is missing in the spec. Before it gets fixed, you can use az rest. A bit more detail is needed from this command; otherwise it is just like other ones:

az rest --method post --uri https://graph.windows.net/<tenantId>/servicePrincipals/<object id of the service principal>/$links/owners?api-version=1.6 --body "{\"url\":\"https://graph.windows.net/<tenantId>/directoryObjects/<owner's object id>\"}"

I tried this, but the owners are not added if the call succeeds.

When is the release for the cli ad sp scheduled to be released?

[dekimsey]

Yugangw-msft, I don't suppose you know the az rest command to remove a owner??

@miicahjardine, I've found the following works to delete owners:

az rest --method=delete --uri=https://graph.windows.net/<tenantId>/servicePrincipals/<object id of the service principal>/$links/owners/<owner object id>?api-version=1.6

[yonzhan]

Can we close this issue?

[trvsmtchll]

Is this fixed I tried using "az rest ..." and also got the "Unsupported resource type 'DirectoryObject' for operation 'Create'." error.

[drdamour]

@23min i've always use User which inherits directoryObjects, agree docs are strange, fwiw u linked the beta docs...but even the 1.0 docs example shows using beta for the post target...so weird

az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/<sp object id>/owners/`$ref --headers Content-Type=application/json -b '{\"@odata.id\": \"https://graph.microsoft.com/beta/users/<user id>\"}'

[jiasli]

Hi folks, as for the behavior of Microsoft Graph API, you may reach out to AAD support by creating a support ticket. A support engineer will gladly help you with it.

[saldroubi]

I also would like for this to be implemented in az cli as well. Why is this issue closed? One should not have to use the rest API with az. Please reopen! Also, using MS Graph is not an option because would give permission to use it in our environment.
Also, why are all these MS tools require different authentications, PowerShell Az module, Power Shell MS Graph, and Az CLI, ...etc.

[jiasli]

I will reopen this issue and mark it as feature request.

Also, using MS Graph is not an option because would give permission to use it in our environment.

As AD Graph has been deprecated, using Microsoft Graph is the only option.

Also, why are all these MS tools require different authentications, PowerShell Az module, Power Shell MS Graph, and Az CLI, ...etc.

Thanks for the feedback. Personally, I also like the idea to share login context between Azure tools (tracked by #16460).

[saldroubi]

Is this in the works? It has been requested a long time ago.

[Mykp3]

This is such a ... limitation, why SP cannot be owner of other application regardless of initial creator responding with bad request?
This role currently is rather useless...
Application.ReadWrite.OwnedBy

[saldroubi]

I really wish this gets implemented soon. It has been so loooooooong.

[Mykp3]

@yugangw-msft when shall we expect advancement in Application.ReadWrite.OwnedBy API Permission, in particular,

Ability to assign AD application as an owner to existing AD application, e.g. not necessarily actually created by that application?

[notaturkey]

bump, wish i could do this

[Mykp3]

@saldroubi @notaturkey It is possible to make application registration to be owner of other application registration.

Requirements:

• Powershell (in Az Portal cloud will do)
• Understanding Enterprise Application concept
• Application.ReadWrite.OwnedBy API permission granted for the application which will be owner of other app

From the main page of application registration of the future owner navigate to the link under "Managed application in local directory" description - it will redirect you to enterprise application page, copy object ID
From the main page of application registration of application ,that you want to owned by any other app, copy object id and paste below

Perform next cmdlet
Add-AzureADApplicationOwner -ObjectId $app.ObjectId -RefObjectId $spn.owner.ObjectId

It should allow you to manage app under another app.
If not enough you may also grab of enterprise application of desired owned application and perform slightly different ( SPN level assignment)

Add-AzureADServicePrincipalOwner -ObjectId $spn.ObjectId -RefObjectId $spn.owner.ObjectId

So we always interested to grant enterprise app (SPN) of future owner,
with target SPN and/or regular application registration object ID that we want to own.

[drdamour]

Yes you certainly can use powershell to add sp’s as owners, but this ticket is about az cli not ps module

[kevinpauli]

What the heck, four years later and it's not in there yet?

[ncook-hxgn]

bumpy bump bump

[Annesars90]

BUMPPPP

[rcomanne]

Would be very nice to be able to manage owners of a service principle by the Azure CLI...
Any progress update? Or are we just supposed to use the Graph API directly and this will not be implemented?

[uracharla1]

Hi there, am currently trying to assign SPN owner to enterprise application using microsoft graph but not seems to working. From the portal is only allowing to add user only. Is there any solution to fix it?

[sodds-eq]

bump

[dalekseevs]

bump

[jordan-lee-accessgroup]

bump

[hoivikaj]

While this is still missing from AZ CLI native as of today, wanted to drop in the command that currently works for me via AZ REST. Not sure if BETA endpoint is still required but its what I am currently using.

Azure Service Principal to be owned by Azure Service Principal:

az rest --method POST --uri https://graph.microsoft.com/beta/servicePrincipals/{TARGET SP OBJECT ID}/owners/\$ref --body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{OWNER SP OBJECT ID}"}'

I was previously having trouble as I missed the escape of $ for $ref.

[chadcarlton]

Please implement this... pretty unbelievable that 4 years later this is not in place.

[DariuszPorowski]

+1

[syunwei]

While this is still missing from AZ CLI native as of today, wanted to drop in the command that currently works for me via AZ REST. Not sure if BETA endpoint is still required but its what I am currently using.

Azure Service Principal to be owned by Azure Service Principal:

az rest --method POST --uri https://graph.microsoft.com/beta/servicePrincipals/{TARGET SP OBJECT ID}/owners/\$ref --body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{OWNER SP OBJECT ID}"}'

I was previously having trouble as I missed the escape of $ for $ref.

Thanks a lot for the command, that is working well.
In powershell console, the character escaping is a bit of different 🤮.

az rest --method POST --uri https://graph.microsoft.com/beta/servicePrincipals/{TARGET SP OBJECT ID}/owners/`$ref --body '{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/{OWNER SP OBJECT ID}\"}'

Hope that helps..

[swisman]

While this is still missing from AZ CLI native as of today, wanted to drop in the command that currently works for me via AZ REST. Not sure if BETA endpoint is still required but its what I am currently using.
Azure Service Principal to be owned by Azure Service Principal:

az rest --method POST --uri https://graph.microsoft.com/beta/servicePrincipals/{TARGET SP OBJECT ID}/owners/\$ref --body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{OWNER SP OBJECT ID}"}'

I was previously having trouble as I missed the escape of $ for $ref.

Thanks a lot for the command, that is working well. In powershell console, the character escaping is a bit of different 🤮.

az rest --method POST --uri https://graph.microsoft.com/beta/servicePrincipals/{TARGET SP OBJECT ID}/owners/`$ref --body '{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/{OWNER SP OBJECT ID}\"}'

Hope that helps..

Thanks for sharing! Unfortunately, I struggled getting this run in a foreach loop in a powershell script. I'm sharing that others may not be struggling with syntax issues for the body as I did (and, funnily, MS Copilot was of no use here!).
I finally got it run (for PSVersion 5.1.22621.4111) using:

    $uri = "https://graph.microsoft.com/beta/servicePrincipals/$spEAObjectId/owners/`$ref"
    $jsonBody = '{{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/{0}\"}}' -f $ownerObjectId
    az rest --method POST --uri $uri --body $jsonBody 

Btw. deleting an owner works similarly:

    $uri = "https://graph.microsoft.com/beta/servicePrincipals/$spEAObjectId/owners/$ownerObjectId/`$ref"
    az rest --method DELETE --uri $uri

Hope that helps.
And yet: this should become part of Azure CLI!

[JustJordanT]

running into this issue when using terraform if you import a existing app reg, you need this to be able to set the sp (terraform) owner.