Azure-rest-api-specs: AAD: DiagnosticSettings API does not support bearer auth using a service principal

Created on 8 Oct 2020  路  4Comments  路  Source: Azure/azure-rest-api-specs

Attempting to create an AAD Diagnostic Setting using the aad/mgmt/2017-04-01/aad package, and it appears the API does not support authenticating as a service principal. I have assigned the Global Admin directory role, and created a custom IAM role containing the documented permissions, but receive the following error.

Request

PUT /providers/microsoft.aadiam/diagnosticSettings/testDiagSetting?api-version=2017-04-01

{
    "properties": {
        "storageAccountId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myTestRg/providers/Microsoft.Storage/storageAccounts/mytestsa",
        "logs": [{
            "category": "AuditLogs",
            "enabled": true,
            "retentionPolicy": {
                "enabled": true,
                "days": 2
            }
        }, {
            "category": "SignInLogs",
            "enabled": true,
            "retentionPolicy": {
                "enabled": true,
                "days": 3
            }
        }]
    }
}

Response

:status: 403
cache-control: no-cache
pragma: no-cache
content-type: application/json; charset=utf-8
expires: -1
x-ms-failure-cause: gateway
x-ms-request-id: 1c7be412-20e5-4799-938a-cb6cd9095ffb
x-ms-correlation-request-id: 7e4db2a3-36b9-182b-af82-3796225f9644
x-ms-routing-request-id: UKWEST:20201008T091959Z:1c7be412-20e5-4799-938a-cb6cd9095ffb
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
date: Thu, 08 Oct 2020 09:19:58 GMT
content-length: 402
{
    "error": {
        "code": "AuthorizationFailed",
        "message": "The client '11111111-1111-1111-1111-111111111111' with object id '11111111-1111-1111-1111-111111111111' does not have authorization to perform action 'microsoft.aadiam/diagnosticSettings/write' over scope '/providers/microsoft.aadiam/diagnosticSettings/testDiagSetting' or the scope is invalid. If access was recently granted, please refresh your credentials."
    }
}

This despite waiting an appropriate length of time for the role permission to take effect, and ensuring the a new access token is issued.

I came across a blog post documenting the same observation: https://cloud-right.com/2018/12/azure-ad-api-logs-flaws

AAD Service Attention question

Most helpful comment

Do we have any updates on this?
Any way we can access this api with service principal or is there any other api to check for diagnostic settings for Azure AD?

All 4 comments

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @adamedx.

Do we have any updates on this?
Any way we can access this api with service principal or is there any other api to check for diagnostic settings for Azure AD?

Can we please have an update for this issue? Our end to end automation pipelines for multiple customers need this to work.

Was this page helpful?
0 / 5 - 0 ratings