Azure-docs: Instead of Global administrator role, is it possible to use another type of role for sing in to an Azure Red Hat OpenShift cluster,?
Create a new Azure Active Directory global administrator user to sign in to your Azure Red Hat OpenShift cluster.
Should the user for ARO be a global administrator?
Global administrator role seems like too strong authority for ARO even if the user who is a cluster-admin user in Azure Red Hat OpenShift.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: a75ea4cd-7173-91e7-dbb6-f526337054b2
- Version Independent ID: f44e7584-d625-9839-c9ec-e96b3d81ee2f
- Content: Azure Active Directory integration for Azure Red Hat OpenShift
- Content Source: articles/openshift/howto-aad-app-configuration.md
- Service: container-service
- GitHub Login: @jimzim
- Microsoft Alias: jzim
kanekoh
All 3 comments
The user for ARO doesn't need to be a global admin, but the application registration needs to be approved by a global admin because of the directory.read.all permission on the Graph API is used and that is the only role that can approve its use that I've found.
There are two ways to accomplish this without needing to make a new global admin user just for ARO:
1) Have a global admin from your AAD tenant open your application registration for ARO in the Azure Portal's Active Directory section and "approve" the permission
or
2) Have a global admin from your AAD tenant be the first person to log into your ARO cluster and click the "approve permission" option that is presented.
vincepower
on 28 Aug 2019
Thanks @vincepower
@kanekoh Hope that helped answer your question. We will now close this issue. If there are further questions regarding this matter, please tag me in a comment. I will reopen it and we will gladly continue the discussion.
Karishma-Tiwari-MSFT
on 28 Aug 2019
Hi, @vincepower, @Karishma-Tiwari-MSFT
It was great helpful and thanks for the detail.
kanekoh
on 29 Aug 2019
Related issues
Ponant
·
3Comments
JamesDLD
·
3Comments
JeffLoo-ong
·
3Comments
jamesgallagher-ie
·
3Comments
jebeld17
·
3Comments
Most helpful comment
The user for ARO doesn't need to be a global admin, but the application registration needs to be approved by a global admin because of the directory.read.all permission on the Graph API is used and that is the only role that can approve its use that I've found.
There are two ways to accomplish this without needing to make a new global admin user just for ARO:
1) Have a global admin from your AAD tenant open your application registration for ARO in the Azure Portal's Active Directory section and "approve" the permission
or
2) Have a global admin from your AAD tenant be the first person to log into your ARO cluster and click the "approve permission" option that is presented.