How to do AssumeRole in Azure

Today I would like to give you a solution that will allow you to control one Azure account from another.

Let’s start from the basics. AWS AssumeRole is used for cross-account access in AWS. It allows the user in one AWS account to manage resources in a completely different AWS account. It is a well-known feature and the are a lot of resources on this topic.

In Azure Microsoft Cloud it is possible to achieve the same result but using a different method. Microsoft Azure has a notion of Applications. Application has a broad meaning in connection to Azure. In this article, I will only be interested in the fact that it is possible to allow access from an application on another AWS account.

Let’s say you have a Main account and a Second account that you want to control.

Configure main account

Basically, it is very simple. You need to create an application that will have access to the Second account in the next stage. Here is how you can create Application:

1. Sign in to the Azure portal using your Azure account.
2. Select Azure Active Directory > App registrations > New registration.
3. Provide a name for the application.
4. Select the appropriate Supported account types.
5. Under Redirect URI, select Web as the application type, and (optionally) specify a redirect URI if your application requires it.
6. After setting the values, select Register. The application registration is created and the Overview page is presented.
7. Copy the Application ID for use in your application code. This value is also referred to as the Client ID.

You can get the same results using the following command:

az ad app create --display-name MyApp1 --homepage https://my-website.com --identifier-uris https://my-website.com --password password123

In case you used web console you need to configure application password. Here is a command to do this in the command line:

az ad app update --id uuid-client-app-id --password password123

Configure second account

The configuration is very simple. I will show how I do this in the command line as it is more easy for me:

Get tenant id and we will use it in the last step as uuid-tenant-id:

az account show --output=json | jq '.tenantId'

You will need to service the principal account that will grant access to the application we create in the Main account. This command will return “object-id“. We will use uuid-sp-object-id bellow

az ad sp create --id uuid-client-app-id

Next step will be to add a role to this service principle account. You can create a new role or assign a role from one of the existing. For example:

• Reader acdd72a7-3385-48ef-bd42-f606fba81ae7
• Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
• Virtual Machine Contributor d73bb868-a0df-4d4d-bd69-98a00b01fccb
• Virtual Network Contributor b34d265f-36f7-4a0d-a4d4-e158ca92e90f
• Storage Account Contributor 86e8f5dc-a6e9-4c67-9d15-de283e8eac25
• Website Contributor de139f84-1756-47ae-9be6-808fbbe84772
• Web Plan Contributor 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b
• SQL Server Contributor 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437
• SQL DB Contributor 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec

You probably know that Microsoft allows you to be very specific creating role, but for this project, I will use the Contributor role. Use the next command to assign the role to service principal account created:

az role assignment create -g my-group-name --assignee-object-id uuid-sp-object-id --role b24988ac-6180-42a0-ab88-20f7382dd24c 

Final step

Now everything is configured. You will need to open a fresh terminal and make sure you are not connected to the cloud.

You can do this command to logout from Azure:

az logout

Now you can simply log in to the Second cloud with the password configured in the application.

az login --service-principal --username uuid-client-app-id --tenant uuid-tenant-id 

You are now logged in the Second account and you can run commands you want. For example to create a new VM:

az vm create -n MyVm -g my-group-name --image UbuntuLTS

Hope this solution helps you. leave your comments.

Reverting / deleting access

az ad sp delete --id 874e7f32-xxxx-xxxx-xxxx-f000483b4302

ERROR: Can’t find associated application id from ‘874e7f32-xxxx-xxxx-xxxx-f000483b4302’

The Azure AD service does allow deleting ServicePrincipal objects. Until the bug is resolved in the CLI, the approach above will not work, but in the meantime, you have several options:

• Using Azure CLI, calling Microsoft Graph API directly (preview):
  • az rest –method delete –uri “https://graph.microsoft.com/beta/servicePrincipals/{sp-object-id}“
• In the Azure portal, under Azure Active Directory > Enterprise apps > (search for and select app) > Delete
• Using Azure AD PowerShell:
  • Remove-AzureADServicePrincipal -ObjectId “{sp-object-id}”
  • https://docs.microsoft.com/en-us/powershell/module/azuread/remove-azureadserviceprincipal?view=azureadps-2.0
• Using Azure PowerShell:
  • Remove-AzureADServicePrincipal -ObjectId “{sp-object-id}”
  • https://docs.microsoft.com/en-us/powershell/module/az.resources/remove-azadserviceprincipal?view=azps-2.6.0
• Using Microsoft Graph API beta (tip: get access token with az account get-access-token –resource “https://graph.microsoft.com“):
  • DELETE https://graph.microsoft.com/beta/servicePrincipals/{sp-object-id}
  • https://docs.microsoft.com/en-us/graph/api/serviceprincipal-delete?view=graph-rest-beta&tabs=http