Allow service principals to be excluded from deny assignments

Question

Allow service principals to be excluded from deny assignments

ramondegoede opened this issue a year ago · comments

Is your feature request related to a problem? Please describe.
We are looking into implementing Deployment stacks for our provisioning for application teams, as part of the resources we provision for them. We are looking into implementing controlling measures to protect our resources, by setting a DenySettingsMode of DenyWriteAndDelete.

This would all be done by code in our pipelines which would mean using a service principal for deploying this stack. To modify resources after the initial deployment this would mean that we need to exclude this service principal for allowing changes to be made to the resources. But when we create a deny assignment for the Service principal we get the following message:

Deny assignment doesn't not support object type Application. ObjectId $object id of application, TenantId $Tenant Id. (Code: InvalidCreateDenyAssignmentRequest)

Describe the solution you'd like
Allow the principal type of application to be used for the DenySettingsExcludedPrincipal parameter, or allow principals who have permissions to the stack to also edit the resources which are managed by the deployment stack

Describe alternatives you've considered
As far as I know there is no alternative ready for service principals and DenySettingsExcludedPrincipal parameter

Additional context
In Azure blueprints there seems to be an option available to set the type of principal to be excluded. See documentation: https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments#deny-assignment-properties
Having a similar implementation would solve this problem.

Ryan W · Answer 1 · Thu Aug 24 2023 02:10:49 GMT+0800 (China Standard Time)

@ramondegoede Can you please share the correlation ID and approximate time of the repro so we can investigate the error in more detail?

Marcin Jastrzebski · Answer 2 · Thu Aug 24 2023 02:27:46 GMT+0800 (China Standard Time)

@ramondegoede It sounds like you specified the application ID rather than the object ID of the service principal. If you know the application ID, you can obtain the service principal object ID using this PS command:

(Get-AzADServicePrincipal -ApplicationId $appId).Id

ramondegoede · Answer 3 · Thu Aug 24 2023 21:03:55 GMT+0800 (China Standard Time)

@majastrz , Thanks for the suggestion, this fixed it. I have used the Get-AzADApplication PS commando to get the ID's, which are from the app registration page. switching to the Get-AzADApplication fixed it.