Grant extra permissions to the service principal

The service principal requires the legacy Azure Active Directory Graph > Application.ReadWrite.OwnedBy permission and the User Access Administrator role for the cluster to be able to assign credentials for its components.

• Assign the User Access Administrator role:

  To assign the User Access Administrator role to the service principal that you created, issue this command:

  az role assignment create --role "User Access Administrator" --assignee-object-id $(az ad sp list --filter "appId eq '<appId>'" | jq '.[0].objectId' -r)

  Where appId is the appId value that you recorded when creating the service principal.

  For example, issue this command:

  az role assignment create --role "User Access Administrator" --assignee-object-id $(az ad sp list --filter "appId eq '12ea9986-……" | jq '.[0].objectId' -r)

  The output should be similar to:

  root@sys-backup-client1:/ocp-tools# az role assignment create --role "User Access Administrator" --assignee-object-id $(az ad sp list --filter "appId eq '12ea9986-….." | jq '.[0].objectId' -r)
  {
    "canDelegate": null,
    "condition": null,
    "conditionVersion": null,
    "description": null,
    "id": "/subscriptions/297…./providers/Microsoft.Authorization/roleAssignments/490840c4-……",
    "name": "490840c4-……",
    "principalId": "fe395a77-….",
    "principalType": "ServicePrincipal",
    "roleDefinitionId": "/subscriptions/297d75cf-……/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-……",
    "scope": "/subscriptions/297d75cf-……",
    "type": "Microsoft.Authorization/roleAssignments"
  }

• Assign the Windows Azure Active Directory Graph API permissions:

  To assign the Windows Azure Active Directory Graph API permissions to the service principal that you created, issue this command:

  az ad app permission add --id <appId> --api 00000002-0000-0000-c000-000000000000 --api-permissions 824c81eb-e3f8-4ee6-8f6d-de7f50d565b7=Role

  For example (for Windows Azure Active Directory):

  az ad app permission add --id 12ea9986-…… --api 00000002-0000-0000-c000-000000000000 --api-permissions 824c81eb-e3f8-4ee6-8f6d-de7f50d565b7=Role

  The output should be similar to:

  root@sys-backup-client1:/ocp-tools# az ad app permission add --id 12ea9986-xxxx-xxxx-xxxx-xxxxxxxxxxxx --api 00000002-0000-0000-c000-000000000000 --api-permissions 824c81eb-e3f8-4ee6-8f6d-de7f50d565b7=Role
  Invoking "az ad app permission grant --id 12ea9986-xxxx-xxxx-xxxx-xxxxxxxxxxxx --api 00000002-0000-0000-c000-000000000000" is needed to make the change effective

• Approve the permissions request:

  If your account does not have the Azure Active Directory Tenant Administrator role, follow your organization's guidelines for requesting that the tenant administrator approve your permissions request. Then, issue this command:

  az ad app permission grant --id <appId>  --api 00000002-0000-0000-c000-000000000000

  Note: Running this command requires very high privileges on the Directory (Tenant) level. If you do not have sufficient permissions, you can identify a person with these privileges and then delegate the task to that person (you do not need these privileges for other OCP deployment tasks).

  For example,

  az ad app permission grant --id 12ea9986-……… --api 00000002-0000-0000-c000-000000000000

  The output should be similar to:

  root@sys-backup-client1:/ocp-tools# az ad app permission grant --id 12ea9986-xxxx-xxxx-xxxx-xxxxxxxxxxxx --api 00000002-0000-0000-c000-000000000000
  {
    "clientId": "fe395a77-…….",
    "consentType": "AllPrincipals",
    "expiryTime": "2022-06-08T05:46:06.249523",
    "objectId": "d1o5_.......",
    "odata.metadata": "https://graph.windows.net/32bfacf3-.....cd/$metadata#oauth2PermissionGrants/@Element",
    "odatatype": null,
    "principalId": null,
    "resourceId": "816223c2-……",
    "scope": "user_impersonation",
    "startTime": "2021-06-08T05:46:06.249523"
  }

  Note:

  • If your Azure user account does not have the Tenant Administrator role, or if you are in the wrong tenant, you will see this error:

    Operation failed with status: 'Bad Request'. Details: 400 Client Error: Bad Request for url: https://graph.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2PermissionGrants?api-version=1.6

  • The command for granting permissions can also be executed by the Tenant Administrator since you do not need these privileges for other OCP deployment tasks.