Use logic app to give other user RBAC permission via rest api.

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Background:

In the azure portal, we usually manually assign the access control for app service such as storage account, Virtual Machine, Log analytics workspace. However in some scenario, user wants create a container in the storage account and then give the RBAC to other user automatically by logic app. This article is a design to use logic app to give other user RBAC permission via rest API.

 

Design:

Step 1: We need to know the role definition Id for the aim RBAC

We can using the power shell code in the azure portal to get the role definition id:

  1. Open the PowerShell in azure portal:YujieLi_18-1698224769011.png

  2. Enter 'az' to connect to use azure CIL, this step might need to wait one minute

    YujieLi_1-1698224628461.png

     

     

    YujieLi_2-1698224628462.png

    3. Enter the commend: 'Get-AzRoleDefinition | select-object name, id'

    YujieLi_3-1698224628463.png

    For example:

    Storage Blob Data Contributor                                       ba92f5b4-2d11-453d-a403-e96b0029c9fe

 

Step 2: Create a service principle/app registration to have the authorization to assign the RBAC role.

  1. Go to the Microsoft Entra ID -> App registrations -> New registration (Skip this one if you already has an app registration can be used to assign the authorize)

YujieLi_4-1698224628464.png

 

 

YujieLi_5-1698224628466.png

2. In the new registration, create a 'certificates& secrets'(If you already has one and remember the vaule, you can skip this one). Copy the value as it only will appear once when it created.

YujieLi_6-1698224628468.png

3. Go to the subscription and give this app registration the authorization.

Open 'Subscription' -> open your recourse subscription -> Access control (IAM)

YujieLi_7-1698224628469.png

 

4. Give 'Privileged administrator roles' -> 'RBAC administrator'

YujieLi_8-1698224628471.png

 

 

YujieLi_9-1698224628473.png

Click select and assign

 

5. Go to the azure apps page, for example, if you want to assign the storage account RBAC, then go to the your storage account, open the Access control, do the same step as 3-4

YujieLi_10-1698224628474.png

 

6. Get the scope for the storage account container, the quicker way is open the container folder, click access control, add role assignment, copy the scope

YujieLi_11-1698224628475.png

 

Then we already did prepare step. Create a logic app workflow

 

Step 3: Logic app design:

  1. Create a trigger as your need
  2. Get the 'be assigned' user object id/principle id: office 365- get user profile:

YujieLi_12-1698224628476.png

     3. According to the document, fill the scope and role definition id from the previous step. The Role assignment id can be created via 'Guid' expression

Reference: Assign Azure roles using the REST API - Azure RBAC | Microsoft Learn

PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}?api-version=2022-04-01

Body part:

{

  "properties": {

    "roleDefinitionId": "/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}",

    "principalId": "{principalId}"

  }

}

 

4. Create a 'http' action: use 'put' method, fill the url and body,

 

YujieLi_13-1698224628478.png

 

5. click add new parameter -> Authentication -> Choose Active Directory Oauth

Go to the App registration, and copy the Tenant, client id and value(this is the value you copied when the client secrets created. )

YujieLi_14-1698224628479.png

 

 

YujieLi_15-1698224628481.png

 

 

Save the logic app and now you can run the logic app and test

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.