Styjun

What happens when your group is victim of a surprise attack but you can't be surprised?

Short and long term plans in a closed game in the Sicilian Defense

Do French speakers not use the subjunctive informally?

How to perform Login Authentication at the client-side?

How can I deal with a coworker killed on the job

Impossible darts scores

Why is C++ initial allocation so much larger than C's?

When is the original BFGS algorithm still better than the Limited-Memory version?

Do equal angles necessarily mean a polygon is regular?

Is there a maximum distance from a planet that a moon can orbit?

Did Karl Marx ever use any example that involved cotton and dollars to illustrate the way capital and surplus value were generated?

What reason would an alien civilization have for building a Dyson Sphere (or Swarm) if cheap Nuclear fusion is available?

What kind of wire should I use to pigtail an outlet?

What is the legal status of travelling with (unprescribed) methadone in your carry-on?

Is there any set of 2-6 notes that doesn't have a chord name?

Plotting with different color for a single curve

Using “sparkling” as a diminutive of “spark” in a poem

Do flight schools typically have dress codes or expectations?

Are there any vegetarian astronauts?

How to split an equation over two lines?

What is the line crossing the Pacific Ocean that is shown on maps?

How to get cool night-vision without lame drawbacks?

Should I hide continue button until tasks are completed?

How come I was asked by a CBP officer why I was in the US?

How to assign 'User administrator' role to service principal in Azure B2C Tenant

B2C Graph API - insufficient permissions even when Directory.ReadWrite.All is enabledMulti-Tenant Azure AD Auth in Azure AD B2C with Custom PoliciesAdd co-administrator to B2C tenant to mange the directoryAzure App Service Deployments - Minimum Role for Service Principal AccountAzure AD B2C user group setupAzure Service principal insufficient permissions to manage other service principalsDifference between Azure Owner role and Co-AdministratorService principal privileges for app registration creationHow to create an Azure custom role that allows registering applications and service principalsHow to make an Azure EnterPrise Application as Owner of a Client's Tenant ProgrammaticallyAzure ad b2c multi tenant

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

0

We need to assign the 'User Administrator' role to an already existing service principal to allow updating the password on the users of the b2c tenant.

Using the MSOnline module as described in
B2C Graph API - insufficient permissions even when Directory.ReadWrite.All is enabled
seems to be outdated and doesn't work for us (In powershell core / cloud powershell we only get errors about missing files or assemblies)

Is there a some new way to do that?

What we tried to do is to connect to azure using the right subscription and the b2c tenant set (it complains that the b2c tenant does not have a subscription but one can override that with a cmdline switch: az login --tenant B2C-TENANT-ID --allow-no-subscriptions).

We can see the service principal that is in the b2c tenant and we can get a list of roles (az role definition list --subscription SUBSCRIPTION-ID). But the 'User Administrator' role you can see in the 'Roles and administrators' panel of the Active Directory blade is not a part of these roles. The roles that are printed out are only the roles that are defined in the subscription itself.

Trying to assign the 'User Administrator' role (az role assignment create) yields an error that the role doesnt exist.

azure azure-active-directory roles azure-ad-b2c service-principal

share|improve this question

edited Mar 25 at 10:45

Katrin Muck

asked Mar 25 at 10:25

Katrin MuckKatrin Muck

1133 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  az role refers to Azure RBAC roles. You need to assign an Azure AD directory role. You could try using the AzureAD PowerShell module.
  
  – juunas
  Mar 25 at 10:51
  

  
  
  
  

add a comment | 

0

We need to assign the 'User Administrator' role to an already existing service principal to allow updating the password on the users of the b2c tenant.

Using the MSOnline module as described in
B2C Graph API - insufficient permissions even when Directory.ReadWrite.All is enabled
seems to be outdated and doesn't work for us (In powershell core / cloud powershell we only get errors about missing files or assemblies)

Is there a some new way to do that?

What we tried to do is to connect to azure using the right subscription and the b2c tenant set (it complains that the b2c tenant does not have a subscription but one can override that with a cmdline switch: az login --tenant B2C-TENANT-ID --allow-no-subscriptions).

We can see the service principal that is in the b2c tenant and we can get a list of roles (az role definition list --subscription SUBSCRIPTION-ID). But the 'User Administrator' role you can see in the 'Roles and administrators' panel of the Active Directory blade is not a part of these roles. The roles that are printed out are only the roles that are defined in the subscription itself.

Trying to assign the 'User Administrator' role (az role assignment create) yields an error that the role doesnt exist.

azure azure-active-directory roles azure-ad-b2c service-principal

share|improve this question

edited Mar 25 at 10:45

Katrin Muck

asked Mar 25 at 10:25

Katrin MuckKatrin Muck

1133 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  az role refers to Azure RBAC roles. You need to assign an Azure AD directory role. You could try using the AzureAD PowerShell module.
  
  – juunas
  Mar 25 at 10:51
  

  
  
  
  

add a comment | 

We need to assign the 'User Administrator' role to an already existing service principal to allow updating the password on the users of the b2c tenant.

Using the MSOnline module as described in
B2C Graph API - insufficient permissions even when Directory.ReadWrite.All is enabled
seems to be outdated and doesn't work for us (In powershell core / cloud powershell we only get errors about missing files or assemblies)

Is there a some new way to do that?

What we tried to do is to connect to azure using the right subscription and the b2c tenant set (it complains that the b2c tenant does not have a subscription but one can override that with a cmdline switch: az login --tenant B2C-TENANT-ID --allow-no-subscriptions).

We can see the service principal that is in the b2c tenant and we can get a list of roles (az role definition list --subscription SUBSCRIPTION-ID). But the 'User Administrator' role you can see in the 'Roles and administrators' panel of the Active Directory blade is not a part of these roles. The roles that are printed out are only the roles that are defined in the subscription itself.

Trying to assign the 'User Administrator' role (az role assignment create) yields an error that the role doesnt exist.

azure azure-active-directory roles azure-ad-b2c service-principal

share|improve this question

edited Mar 25 at 10:45

Katrin Muck

asked Mar 25 at 10:25

Katrin MuckKatrin Muck

1133 bronze badges

azure azure-active-directory roles azure-ad-b2c service-principal

azure azure-active-directory roles azure-ad-b2c service-principal

share|improve this question

edited Mar 25 at 10:45

Katrin Muck

asked Mar 25 at 10:25

Katrin MuckKatrin Muck

1133 bronze badges

share|improve this question

edited Mar 25 at 10:45

Katrin Muck

asked Mar 25 at 10:25

Katrin MuckKatrin Muck

1133 bronze badges

asked Mar 25 at 10:25

Katrin MuckKatrin Muck

1133 bronze badges

asked Mar 25 at 10:25

Katrin MuckKatrin Muck

1133 bronze badges

1 Answer
1

active

oldest

votes

1

Ok so we found a solution - using powershell the following steps were required:

1. Install-Module AzureAD


2. Connect-AzureAD -TenantId TENANT-ID


3. Get-AzureADServicePrincipal -> look for Service principal ObjectId


4. Get-AzureADDirectoryRole -> look for Helpdesk Administrator
   


5. Add-AzureADDireectoryRoleMember -ObjectId ROLE-ID -RefObjectId SERVICE-PRINCIPAL-OID

share|improve this answer

answered Mar 25 at 11:36

Katrin MuckKatrin Muck

1133 bronze badges

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55335685%2fhow-to-assign-user-administrator-role-to-service-principal-in-azure-b2c-tenant%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

1

Ok so we found a solution - using powershell the following steps were required:

1. Install-Module AzureAD


2. Connect-AzureAD -TenantId TENANT-ID


3. Get-AzureADServicePrincipal -> look for Service principal ObjectId


4. Get-AzureADDirectoryRole -> look for Helpdesk Administrator
   


5. Add-AzureADDireectoryRoleMember -ObjectId ROLE-ID -RefObjectId SERVICE-PRINCIPAL-OID

share|improve this answer

answered Mar 25 at 11:36

Katrin MuckKatrin Muck

1133 bronze badges

add a comment | 

1

Ok so we found a solution - using powershell the following steps were required:

1. Install-Module AzureAD


2. Connect-AzureAD -TenantId TENANT-ID


3. Get-AzureADServicePrincipal -> look for Service principal ObjectId


4. Get-AzureADDirectoryRole -> look for Helpdesk Administrator
   


5. Add-AzureADDireectoryRoleMember -ObjectId ROLE-ID -RefObjectId SERVICE-PRINCIPAL-OID

share|improve this answer

answered Mar 25 at 11:36

Katrin MuckKatrin Muck

1133 bronze badges

add a comment | 

Ok so we found a solution - using powershell the following steps were required:

1. Install-Module AzureAD


2. Connect-AzureAD -TenantId TENANT-ID


3. Get-AzureADServicePrincipal -> look for Service principal ObjectId


4. Get-AzureADDirectoryRole -> look for Helpdesk Administrator
   


5. Add-AzureADDireectoryRoleMember -ObjectId ROLE-ID -RefObjectId SERVICE-PRINCIPAL-OID

share|improve this answer

answered Mar 25 at 11:36

Katrin MuckKatrin Muck

1133 bronze badges

share|improve this answer

answered Mar 25 at 11:36

Katrin MuckKatrin Muck

1133 bronze badges

answered Mar 25 at 11:36

Katrin MuckKatrin Muck

1133 bronze badges

answered Mar 25 at 11:36

Katrin MuckKatrin Muck

1133 bronze badges