How to Reference an Azure AD User by UPN #645
Comments
ghost
added
the
|
Azure AD objects are not represented in ARM today, so there is no way to do this in bicep or ARM templates directly. So the goal is to input the principal name and return the entire AD object? Basically mimicking what this CLI command does? az ad user show --id principal@domain.com |
|
The use Case is e.g to lookup the User or Group oid from the Azure AD az ad user show --id principal@domain.com --query objectId |
|
sorry for not following this one, but I am still a bit confused. What is the definition of I was thinking you could have something like this: |
alex-frankel
added
question
alex-frankel
changed the title
|
You are right with your example, i was not clear enough sorry Another usecase would be a group lookup |
|
np! thanks for confirming. I think we agree this should be done, just a matter of getting it scheduled. |
|
@alex-frankel Thanks, can we use this issue for both , upn and group lookup? |
|
Matter of getting scheduled? I have been asking for this for more than two years and it was never scheduled :P |
|
@floariankoch - yes, it should work for both when it gets implemented. @slavizh better late than never :) |
|
haha. Actually it is not the first time I request something to Azure team after two years either it is done or started :) |
|
Sorry for making noise, I'm having the exact same issue and use case now. |
|
very interested in this as well. Another use case is configuring vulnerability baselines for azure sql database. If i have to make users to connect to the database through managed identity, I'd like to be able to just pass the name of the user instead of also manually having to search for the object Id and convert it to hexadecimal characters :) |
|
that said, a hex() function would also be greatly appreciated! |
|
I was trying to use logged in user's objectId. OPs suggestion is more robust, but is there currently possible to get objectId of user which is running command? It is similar to subscription().tenantId and resourceGroup().location. It could be in environment() or just new function like loggedInUser().objectId |
The ARM deployment runs service side, not client side, so it technically would be the principal who created the deployment (which would be the same as the user logged into the client). Either way, there is not a way to do this today, @JanneHarju, do you mind creating an issue for this?
No update here unfortunately. |
|
Is there any update on this? |
|
@alex-frankel i didn't create issue for my suggestion. Actually currently I don't need it anymore. In my solution it was bad design what so ever to use users principalsId. And in my scenario I was adding permissions to keyvault in old way. Now there is new way with RBAC what I can use in other situations. Although not with user principal. Usually with other Azure resources principal. |
|
No updates - I will create a separate issue for getting the current principal's ID. Relevant internal issue is tracked here: |
|
Also would be curious to see how MS Graph extensibility alters the need for this. Tagging #7724 |
|
A slow but effective workaround is to make a deploymentScript module that looks up the user and has their ID as an output, you can then use that output in your references. https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template Another similar workaround: I specify my bicep parameter files as .psd1 files because they're much easier to read, and at deploy time I import the parameter file and pass it to the |
|
yeah, workarounds are well known but with them comes too much problems you have to take care of. |
|
I searched a long time thinking 'surely this must exist'... One of my use cases is that I want to assign roles to the app-registrations of DevOps Service Connections to a Bicep Private Registry used for deployment. It doesn't have to be a function ( |
|
Hello @obiwanjacobi I think you can do it through devops using Azure cli like you are using it with bicep but not using bicep at all. I found this blog by searching: "azure devops app registration to azure ad" - https://blog.hompus.nl/2020/11/11/manage-azure-ad-applications-from-an-azure-devops-pipeline/ I haven't try it by myself but seems quite simple. |
|
Facing the same issue as Microsoft Sentinel requires you give an MS SPN RBAC role access to execute Automation Rules, I do not want to run an external tool (eg Powershell deployment step script to get the ID, as I want the flow all to be embedded in a single flow for potential whatIf usecase scenario). I would expect this to work to get the ID but, yeah as @obiwanjacobi mentioned - here I am 😢 resource azSecurityInsightsAccount 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
name: 'Azure Security Insights'
}For now I suppose I will have to grab the principalId manually and embeed it in variables of ADO pipeline and just find and replace before the flow runs. |
|
@Kaloszer are you needing to get the principalId from a user assigned managed identity in order to perform a role assignment with it? This is possible today. Or are you using a AAD App registration/Service Principal? Edit, I see you mention the Sentinel App. Looking forward to the AAD/Graph extensibility for this.. In the meantime, at least these are static, so you can maintain the lookup to the objectid, then load with loadjsoncontent() and check this in with your project. |
|
Hmm I might've overlooked it - I was under the impression the ID it was unique per tenant, is it not? Edit: ah I see, you have a config file with the ID there, yeah that's my solution to it aswell more or less. '''hardcoded''' in |
|
@Kaloszer yes in my param file I use the Name. Then do the lookup from the name to the ID from that file in the Module. That way the param file are portable and user friendly on the SP name, so users don't have to deal with guids. There is a central place to maintain the lookup file. I believe the graph extensibility provider will solve this specific problem for these Application ID lookups. Look forward to test to see if this part will be in scope of its capability soon. |
|
I'm also interested in this feature. Please make it possible |
|
@eketo-msft assigned this one to you as it is effectively a dup of microsoftgraph/msgraph-bicep-types#135. They can be closed at the same time. |
|
This is working as of Bicep v0.33! extension 'br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.1.9-preview' as graph
resource user 'Microsoft.Graph/users@v1.0' existing = {
userPrincipalName: 'person@contoso.com'
}
output id string = user.id |
|
@alex-frankel Does this work for group names too, or only for user UPNs? |
|
@SvenAelterman nothing has changed in groups, they are referenced by uniqueName. |
|
@slavizh Thanks! I must have missed something. If we're trying to assign a role to an identity but the deployer should have the flexibility for it to be a group or a user, does that mean we couldn't retrieve the object ID using Bicep and we'd need to still have the object ID as a parameter? |
|
@SvenAelterman if you have existing group not deployed by Bicep you need to set up uniqueName for that group. This is all in the public docs. uniqueName is a concept for most resources in Graph currently supported by Bicep that allows you to have friendly names for your objects as most of them they have GUIDs that are not friendly. I would suggest to check the public documentation as it is explained way better there. |
Hi,
is there a way to reference a Azure Ad User by UPN als object ID?
For example in KeyVault access Policies
Regards
The text was updated successfully, but these errors were encountered: