I recently got the question on how to assign Azure AD roles to Azure AD users and app registration (service principal (SPN)) using the Azure AD Graph API with the az cli & az rest command.
Here’s an example Python script to assign the Global Administrator role to a user:
(replace the ‘valid-user-principal-object-id’ with the objectId of the user object)
import subprocess
import re
ansi_escape = re.compile(r'\x1B\[[0-?]*[ -/]*[@-~]')
def callTheAPI():
URI="https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments"
USER_PRINCIPAL_OBJECT_ID="valid-user-principal-object-id"
DIRECTORY_ROLE_TEMPLATE_ID="62e90394-69f5-4237-9190-012177145e10"
BODY={}
BODY['principalId']=USER_PRINCIPAL_OBJECT_ID
BODY['roleDefinitionId']=DIRECTORY_ROLE_TEMPLATE_ID
BODY['directoryScopeId']="/"
assignGlobalAdminCommand='az rest --method POST --uri '+URI+' --header Content-Type=application/json --body "'+str(BODY)+'"'
proc = subprocess.Popen(assignGlobalAdminCommand,cwd=None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True)
while True:
line = proc.stdout.readline()
if line:
thetext=ansi_escape.sub('', line.decode('utf-8').rstrip('\r|\n'))
print(thetext)
else:
break
callTheAPI()
A copy of the Python code can be found on my Github page over here: [AADRoleAssignment_User.py ]
Happy Azure Week! 17-21 July 2023. Learn more.
Here’s an example Python script to assign the Global Administrator role to an App Registration (Service Principal (SPN)):
(replace the ‘valid-app-object-id’ with the objectId of the App registration)
It’s the object id of the service principal you need, not the application. You can find the service principal under Enterprise Applications in Azure portal’s Azure AD blade. In its Properties you’ll find the object id.
import subprocess
import re
ansi_escape = re.compile(r'\x1B\[[0-?]*[ -/]*[@-~]')
def callTheAPI():
SERVICE_PRINCIPAL_OBJECT_ID="valid-service-principal-object-id"
DIRECTORY_ROLE_TEMPLATE_ID="62e90394-69f5-4237-9190-012177145e10" # Global Admin Role Template Id
URI='https://graph.microsoft.com/v1.0/directoryRoles/roleTemplateId='+DIRECTORY_ROLE_TEMPLATE_ID+'/members/$ref'
BODY={}
BODY['@odata.id']='https://graph.microsoft.com/v1.0/directoryObjects/'+SERVICE_PRINCIPAL_OBJECT_ID
assignGlobalAdminCommand='az rest --method POST --uri '+URI+' --header Content-Type=application/json --body "'+str(BODY)+'"'
proc = subprocess.Popen(assignGlobalAdminCommand,cwd=None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True)
while True:
line = proc.stdout.readline()
if line:
thetext=ansi_escape.sub('', line.decode('utf-8').rstrip('\r|\n'))
print(thetext)
else:
break
callTheAPI()
A copy of the Python code can be found on my Github page over here: AADRoleAssignment_App.py
About the Author
As a Microsoft enthusiast I love their products and the vision they stand for.
Reference
Van de vyver, P., 2023, Assigning Azure Active Directory Roles for users and service principals using Python, az rest and Graph API, blog.philipvandevyver.com, Available at: https://blog.philipvandevyver.com/2023/04/24/assign-aad-roles-using-python-copy/ [Accessed on 5 July 2023]
