Skip to content

Commit

Permalink
Mandatory Identity with Application.ReadWrite.OwnedBy (#2008)
Browse files Browse the repository at this point in the history
* TF_VAR_application_admin_client_id

* Application.ReadWrite.OwnedBy defaultUser
  • Loading branch information
ross-p-smith authored Jun 9, 2022
1 parent 559d061 commit 0385e91
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 13 deletions.
14 changes: 10 additions & 4 deletions scripts/aad/create_application_administrator.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ Options:
-n,--name Required. The prefix for the app (registration) names e.g., "TRE".
-a,--admin-consent Optional, but recommended. Grants admin consent for the app registrations, when this flag is set.
Requires directory admin privileges to the Azure AD in question.
-p,--application-permission The API Permission that this identity will be granted.
USAGE
exit 1
Expand All @@ -37,6 +38,7 @@ declare currentUserId=""
declare spId=""
declare msGraphUri="https://graph.microsoft.com/v1.0"
declare appName=""
declare applicationPermission="Application.ReadWrite.OwnedBy"

# Initialize parameters specified from command line
while [[ $# -gt 0 ]]; do
Expand All @@ -49,6 +51,10 @@ while [[ $# -gt 0 ]]; do
grantAdminConsent=1
shift 1
;;
-p|--application-permission)
applicationPermission=$2
shift 2
;;
*)
echo "Invalid option: $1."
show_usage
Expand Down Expand Up @@ -97,9 +103,9 @@ fi
# Get the Required Resource Scope/Role
msGraphAppId="00000003-0000-0000-c000-000000000000"
msGraphObjectId=$(az ad sp show --id ${msGraphAppId} --query "objectId" --output tsv)
applicationReadWriteAllId=$(az ad sp show --id ${msGraphAppId} --query "appRoles[?value=='Application.ReadWrite.All'].id" --output tsv)

roleApplicationReadWriteAll="$(get_msgraph_role 'Application.ReadWrite.All' )"
applicationPermissionId=$(az ad sp show --id ${msGraphAppId} --query "appRoles[?value=='${applicationPermission}'].id" --output tsv)
roleApplicationPermission=$(get_msgraph_role "${applicationPermission}")

appDefinition=$(jq -c . << JSON
{
Expand All @@ -109,7 +115,7 @@ appDefinition=$(jq -c . << JSON
{
"resourceAppId": "${msGraphAppId}",
"resourceAccess": [
${roleApplicationReadWriteAll}
${roleApplicationPermission}
]
}]
}
Expand Down Expand Up @@ -175,7 +181,7 @@ az ad app permission grant --id "${appId}" --api "${msGraphAppId}"
if [[ $grantAdminConsent -eq 1 ]]; then
echo "Granting admin consent for '${appName} app (service principal ID ${spId}) - NOTE: Directory admin privileges required for this step"
wait_for_new_service_principal "${spId}"
grant_admin_consent "${spId}" "$msGraphObjectId" "${applicationReadWriteAllId}"
grant_admin_consent "${spId}" "$msGraphObjectId" "${applicationPermissionId}"
fi

cat << ENV_VARS
Expand Down
21 changes: 12 additions & 9 deletions scripts/create_aad_assets.sh
Original file line number Diff line number Diff line change
Expand Up @@ -17,17 +17,20 @@ if [ "${LOGGED_IN_TENANT_ID}" != "${AAD_TENANT_ID}" ]; then
CHANGED_TENANT=1
fi

# Create the identity that is able to create other applications
APPLICATION_PERMISSION="Application.ReadWrite.OwnedBy"
if [ "${AUTO_WORKSPACE_APP_REGISTRATION}" == true ]; then
./scripts/aad/create_application_administrator.sh \
--name "${TRE_ID}" --admin-consent
APPLICATION_PERMISSION="Application.ReadWrite.All"
fi

echo "Please copy the values above into your /templates/core/.env."
read -p "Please confirm you have done this? (y/N) " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
exit 0
fi
# Create the identity that is able to administer other applications
./scripts/aad/create_application_administrator.sh \
--name "${TRE_ID}" --admin-consent --application-permission "${APPLICATION_PERMISSION}"

echo "Please copy the values above into your /templates/core/.env."
read -p "Please confirm you have done this? (y/N) " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
exit 0
fi

# Then register an App for the TRE Core.
Expand Down

0 comments on commit 0385e91

Please sign in to comment.