How to Reference an Azure AD User by UPN

[floriankoch]

Hi,

is there a way to reference a Azure Ad User by UPN als object ID?
For example in KeyVault access Policies

Regards

[alex-frankel]

Azure AD objects are not represented in ARM today, so there is no way to do this in bicep or ARM templates directly. So the goal is to input the principal name and return the entire AD object? Basically mimicking what this CLI command does?

az ad user show --id principal@domain.com

[floriankoch]

The use Case is e.g

resource keyvault 'Microsoft.KeyVault/vaults@2019-09-01' = {    
  name: vaultName       
  location: location 
  properties: {
    tenantId: tenant
    sku: {
      family: 'A'
      name: sku
    }
   
    accessPolicies:  [
  {
    tenantId: tenant
    objectId: oid
    permissions: {
      secrets: [
        'Get'
        'List'
        'Set'
        'Delete'
        'Recover'
        'Backup'
        'Restore'
      ]
    }
  }

to lookup the User or Group oid from the Azure AD

az ad user show --id principal@domain.com --query objectId

[alex-frankel]

sorry for not following this one, but I am still a bit confused. What is the definition of oid in this case?

I was thinking you could have something like this:

resource keyvault 'Microsoft.KeyVault/vaults@2019-09-01' = {    
  name: vaultName       
  location: location 
  properties: {
    tenantId: tenant
    sku: {
      family: 'A'
      name: sku
    }
   
    accessPolicies:  [
  {
    tenantId: tenant
    objectId: aadLookup('principal@domain.com').objectId
    permissions: {
      secrets: [
        'Get'
        'List'
        'Set'
        'Delete'
        'Recover'
        'Backup'
        'Restore'
      ]
    }
  }

[floriankoch]

You are right with your example, i was not clear enough sorry

Another usecase would be a group lookup

[alex-frankel]

np! thanks for confirming. I think we agree this should be done, just a matter of getting it scheduled.

[floriankoch]

@alex-frankel Thanks, can we use this issue for both , upn and group lookup?

[slavizh]

Matter of getting scheduled? I have been asking for this for more than two years and it was never scheduled :P

[alex-frankel]

@floariankoch - yes, it should work for both when it gets implemented. @slavizh better late than never :)

[slavizh]

haha. Actually it is not the first time I request something to Azure team after two years either it is done or started :)

[alexs77]

Sorry for making noise, I'm having the exact same issue and use case now.
Has this been scheduled in the last 8.033 months?

[Sreini]

very interested in this as well.

Another use case is configuring vulnerability baselines for azure sql database. If i have to make users to connect to the database through managed identity, I'd like to be able to just pass the name of the user instead of also manually having to search for the object Id and convert it to hexadecimal characters :)

[Sreini]

that said, a hex() function would also be greatly appreciated!

[JanneHarju]

I was trying to use logged in user's objectId. OPs suggestion is more robust, but is there currently possible to get objectId of user which is running command? It is similar to subscription().tenantId and resourceGroup().location. It could be in environment() or just new function like loggedInUser().objectId

[alex-frankel]

is there currently possible to get objectId of user which is running command

The ARM deployment runs service side, not client side, so it technically would be the principal who created the deployment (which would be the same as the user logged into the client). Either way, there is not a way to do this today, @JanneHarju, do you mind creating an issue for this?

Has this been scheduled in the last 8.033 months?

No update here unfortunately.

[Marc013]

Is there any update on this?
It would be great when this feature would be made available.

[JanneHarju]

@alex-frankel i didn't create issue for my suggestion. Actually currently I don't need it anymore. In my solution it was bad design what so ever to use users principalsId. And in my scenario I was adding permissions to keyvault in old way. Now there is new way with RBAC what I can use in other situations. Although not with user principal. Usually with other Azure resources principal.

[alex-frankel]

No updates - I will create a separate issue for getting the current principal's ID. Relevant internal issue is tracked here:
https://msazure.visualstudio.com/One/_workitems/edit/7512394?src=WorkItemMention&src-action=artifact_link

[alex-frankel]

Also would be curious to see how MS Graph extensibility alters the need for this.

Tagging #7724

[JustinGrote]

A slow but effective workaround is to make a deploymentScript module that looks up the user and has their ID as an output, you can then use that output in your references.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template

Another similar workaround: I specify my bicep parameter files as .psd1 files because they're much easier to read, and at deploy time I import the parameter file and pass it to the -TemplateParameterObject during a New-Az*Deployment. You could easily add a step in there to first lookup any names specified in the parameter file and translate them to their Guids before starting the deployment.

[slavizh]

yeah, workarounds are well known but with them comes too much problems you have to take care of.

[obiwanjacobi]

I searched a long time thinking 'surely this must exist'...
So, yeah - another vote for this feature request.

One of my use cases is that I want to assign roles to the app-registrations of DevOps Service Connections to a Bicep Private Registry used for deployment.

It doesn't have to be a function (lookup() or similar), I could totally live with using a bicep resource name 'Microsoft.AAD.AppRegistration@2022-12-31' exisiting = {} syntax... (or whatever the resource identifier is going to be)

[JanneHarju]

Hello @obiwanjacobi I think you can do it through devops using Azure cli like you are using it with bicep but not using bicep at all. I found this blog by searching: "azure devops app registration to azure ad" - https://blog.hompus.nl/2020/11/11/manage-azure-ad-applications-from-an-azure-devops-pipeline/ I haven't try it by myself but seems quite simple.

[Kaloszer]

Facing the same issue as Microsoft Sentinel requires you give an MS SPN RBAC role access to execute Automation Rules, I do not want to run an external tool (eg Powershell deployment step script to get the ID, as I want the flow all to be embedded in a single flow for potential whatIf usecase scenario).

I would expect this to work to get the ID but, yeah as @obiwanjacobi mentioned - here I am 😢

resource azSecurityInsightsAccount 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
  name: 'Azure Security Insights'
}

Status Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed)
 - The Resource 'Microsoft.ManagedIdentity/userAssignedIdentities/Azure Security Insights' under resource group '[rgname]' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix (Code:ResourceNotFound)

For now I suppose I will have to grab the principalId manually and embeed it in variables of ADO pipeline and just find and replace before the flow runs.

[brwilkinson]

@Kaloszer are you needing to get the principalId from a user assigned managed identity in order to perform a role assignment with it? This is possible today.

Or are you using a AAD App registration/Service Principal?

Edit, I see you mention the Sentinel App.

Looking forward to the AAD/Graph extensibility for this..

In the meantime, at least these are static, so you can maintain the lookup to the objectid, then load with loadjsoncontent() and check this in with your project.
E.g. Lookup file

• https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/tenants/SFM/Global-Global.json#L79

[Kaloszer]

Hmm I might've overlooked it - I was under the impression the ID it was unique per tenant, is it not?

Edit: ah I see, you have a config file with the ID there, yeah that's my solution to it aswell more or less. '''hardcoded''' in

[brwilkinson]

@Kaloszer yes in my param file I use the Name. Then do the lookup from the name to the ID from that file in the Module.

That way the param file are portable and user friendly on the SP name, so users don't have to deal with guids. There is a central place to maintain the lookup file.

I believe the graph extensibility provider will solve this specific problem for these Application ID lookups. Look forward to test to see if this part will be in scope of its capability soon.

[luxant]

I'm also interested in this feature. Please make it possible