Azure-cli: possibility of adding service principal owners with the cli

It seems this should have been part of #7578, which says it "Graph: support add/remove/list owners on app, sp, and group". The PR did this for app and group, but appears to have forgotten to include code for sp. Looking at the commits in that PR it only removes a comment under "ad sp owner": "# TODO: Add support for 'add' and 'remove'", but doesn't add code to actually add and remove owners from service principals.

Okay, i will follow up to onboard the support since we have the ask now.

Any progress on this?

The related API is missing in the spec. Before it gets fixed, you can use az rest. A bit more detail is needed from this command; otherwise it is just like other ones:

az rest --method post --uri https://graph.windows.net/<tenantId>/servicePrincipals/<object id of the service principal>/$links/owners?api-version=1.6 --body "{\"url\":\"https://graph.windows.net/<tenantId>/directoryObjects/<owner's object id>\"}"

Yugangw-msft, I don't suppose you know the az rest command to remove a owner??

I ran into the same issue of having to add an additional owner to an existing SP.

Unfortunately the API responds with "bad request":
Unsupported resource type 'DirectoryObject' for operation 'Create'.

My first suspicion was a permission problem, but I would expect a proper response then. Any ideas?

@yugangw-msft

The related API is missing in the spec. Before it gets fixed, you can use az rest. A bit more detail is needed from this command; otherwise it is just like other ones:

az rest --method post --uri https://graph.windows.net/<tenantId>/servicePrincipals/<object id of the service principal>/$links/owners?api-version=1.6 --body "{\"url\":\"https://graph.windows.net/<tenantId>/directoryObjects/<owner's object id>\"}"

I tried this, but the owners are not added if the call succeeds.

When is the release for the cli ad sp scheduled to be released?

Yugangw-msft, I don't suppose you know the az rest command to remove a owner??

@miicahjardine, I've found the following works to delete owners:

az rest --method=delete --uri=https://graph.windows.net/<tenantId>/servicePrincipals/<object id of the service principal>/$links/owners/<owner object id>?api-version=1.6

Can we close this issue?

Is this fixed I tried using "az rest ..." and also got the "Unsupported resource type 'DirectoryObject' for operation 'Create'." error.

for whatever reason i'm getting the Unsupported resource type in powershell...but in cmd.exe it works fine.

pwsh equiv:

az rest --method post --uri https://graph.windows.net/<tenant>/servicePrincipals/<sp id>/$links/owners?api-version=1.6 --body "{\`"url\`":\`"https://graph.windows.net/<tenant>/directoryObjects/<user object id>\`"}"

i think it has something to do with escaping in pwsh, didn't sniff the traffic yet

well crap it' sthe $link which resolves in powershell to nothing...so escape it and it'll work

az rest --method post --uri https://graph.windows.net/<tenant>/servicePrincipals/<sp id>/`$links/owners?api-version=1.6 --body "{\`"url\`":\`"https://graph.windows.net/<tenant>/directoryObjects/<user object id>\`"}"

or

az rest --method post --uri https://graph.windows.net/<tenant>/servicePrincipals/<sp id>/`$links/owners?api-version=1.6 --body '{\"url\":\"https://graph.windows.net/<tenant>/directoryObjects/<user object id>\"}'

@trvsmtchll, could you share the command with sensitive information removed? Also what is the environment?

I cannot reset something where I am not an owner of.
So I really need the possibility to add owners to SPN.

Please fix the incomplete CLI.

Looking for any updates on how to add a service principal completely with CLI without going to the GUI/Portal at all please.

I cannot reset something where I am not an owner of.

Made worse by the fact that owners must be User objects, so I cannot even set my team's security group here. I have to enumerate and add every individual member.

As AAD is deprecating AD Graph API, for now you may use az rest to call MS Graph API.

Add owners to an application

MS Graph API: application: Add owner

# bash
appId=93dde3da-9fca-47dd-aee2-409b402ffed3
appObjectId=$(az ad app show --id $appId --query objectId -o tsv)

# Get the object Id for the current user
ownerObjectId=$(az ad signed-in-user show --query objectId -o tsv)

# This applies to both user and service principal as owners
az rest -m POST -u https://graph.microsoft.com/beta/applications/$appObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/directoryObjects/$ownerObjectId\"}"

# To add a user as an owner
az rest -m POST -u https://graph.microsoft.com/beta/applications/$appObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/users/$ownerObjectId\"}"

# To add a service principal as an owner
az rest -m POST -u https://graph.microsoft.com/beta/applications/$appObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/servicePrincipals/$ownerObjectId\"}"

Also see https://github.com/microsoftgraph/microsoft-graph-docs/issues/1645, https://blogs.aaddevsup.xyz/2018/11/how-to-add-an-owner-to-an-azure-ad-application/

Add owners to a service principal

MS Graph API: servicePrincipal: Add owner

Note that the doc for request body is not accurate at the moment (https://github.com/microsoftgraph/microsoft-graph-docs/issues/4127).

# bash
appId=93dde3da-9fca-47dd-aee2-409b402ffed3
spObjectId=$(az ad sp show --id $appId --query objectId --output tsv)

# Get the object Id for the current user
ownerObjectId=$(az ad signed-in-user show --query objectId -o tsv)

# This applies to both user and service principal as owners
az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/$spObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/directoryObjects/$ownerObjectId\"}"

# To add a user as an owner
az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/$spObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/users/$ownerObjectId\"}"

# To add a service principal as an owner
az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/$spObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/servicePrincipals/$ownerObjectId\"}"

@dekimsey, MS Graph currently doesn't support group as owner.

$ az rest -m POST -u https://graph.microsoft.com/beta/applications/$appObjectId/owners/\$ref --headers Content-Type=application/json -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/directoryObjects/5a197067-7d4e-4862-a692-cb5933646da1\"}"
Bad Request({
  "error": {
    "code": "Request_BadRequest",
    "message": "The reference target 'Group_5a197067-7d4e-4862-a692-cb5933646da1' of type 'Group' is invalid for the 'owners' reference.",
    "innerError": {
      "request-id": "daf41148-02ab-426a-9dc0-fe07060fe87f",
      "date": "2020-03-25T03:21:30"
    }
  }

I will mark this as service attention. You may vote on these feedback pages:

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/37337278-add-group-as-owner-on-azure-ad-application-and-ser
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/6688284-ad-groups-in-application-owners
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/39240190-app-registration-owners-should-allow-for-groups

@yonzhan why did this get closed? regardless of the adding groups, it still be good to add users without having to use az rest

@drdamour Is it a requirement for CLI or AAD team?

cli

I will discuss with @jiasli about this and keep this issue reopen.

This will be implemented after we migrate to MS Graph. Moving to backlog as a feature request. We will track MS Graph issues at https://github.com/Azure/azure-cli/issues/12946

seems like the graph.windows.net solution no longer functions at all, end the MS Graph suggestion requires a TON of permissions that no sane admin would grant...

i stand corrected, the application one is pretty sane ReadWrite.OwnedBy i thought it required write.all

Hi @drdamour, thanks for the supplemental information. Yes, for both application: Add owner and servicePrincipal: Add owner APIs, all you need is Application.ReadWrite.OwnedBy and Directory.Read.All, as give in the document itself:

|Permission type | Permissions (from least to most privileged) |
|:--------------------|:---------------------------------------------------------|
|Delegated (work or school account) | Application.ReadWrite.All and Directory.Read.All, Directory.AccessAsUser.All |
|Delegated (personal Microsoft account) | Not supported. |
|Application | Application.ReadWrite.OwnedBy and Directory.Read.All, Application.ReadWrite.All and Directory.Read.All |