Update NSG with JSON definition. Only permission is contributor on the NSG resource
I have a file called nsg-properties.json which looks like this:
{
"securityRules": [
<twenty NSG rules are here>
]
}
I have a service principal with only a single role assignment, which is Contributor on the scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$VNET_RESOURCE_GROUP/providers/Microsoft.Network/networkSecurityGroups/$NSG_NAME which is the resource ID of my NSG.
How can I programmatically update the NSG with the property definition in nsg-properties.json? Things I've tried:
- Use ARM template. Didn't work, because my service principal doesn't have
Microsoft.Resources/subscriptions/resourcegroups/writeon the scope of my resource group. - Use
az resource create --id $NSG_ID --properties @nsg-properties.json. Didn't work, because my service principal doesn't haveMicrosoft.Resources/subscriptions/resourcegroups/readon the scope of my resource group.
There's the az network nsg update API, but I can't figure out how to use a JSON definition as input.
Do you have any suggestions?
It cannot work like this. You need to give Network Contributor OR Microsoft.Network/networkSecurityGroups/write permission to your Service principle in order to update NSG. Check out Permissions required to make changes to NSG:
Edit:
In the 2nd case you have mentioned:
Use az resource create --id $NSG_ID --properties @nsg-properties.json. Didn't work, because my service principal doesn't have Microsoft.Resources/subscriptions/resourcegroups/read on the scope of my resource group.
This is not possible without giving Microsoft.Resources/subscriptions/resourcegroups/read role to your SP. This is how the design is.
- Sharepoint online 'Unsupported app only token.'
- Can't get events with open extension in Microsoft Graph API
- Provide SSL certificate for internal Website
- Getting "Unable to complete authentication for user due to looping logins" while making an api call through postman to azure
- azure ad difference between group based and role based authorization
- Powershell EntraID - Get display names of user groups
- Questions on microsoft azure portal app registration
- API Access to SharePoint Files/Lists via SharePoint REST, API & MSAL, using deamon/service account
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Id token in microsoft with ./Default scope
- Unattended authentication using Azure Active Directory- UserCredential not accepting username and password
- Assigning Roles to a Group and scoping that to an Admin Unit programatically in Entra
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- Azure Storage accounts container public access level has dissabled
- How to get "exp" from jwt token and compare with it current time to check if token is expired
- How to refresh client assertion in ConfidentialClientApplication?
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- How to extract TLS 1.X of all app services/web app running Azure
- Why Can't I See Roles Assigned to an App Registration in Azure?
- Connect C# ASP.NET Core web app to Microsoft Graph calendar
- Is there a way to find out all users of a particular group in AzureAD?
- MSAL Redirect on Failure AADSTS50105
- Microsoft Power BI REST API PowerBINotAuthorizedException
- AzureAD SAML SSO through AWS Cognito - doesn't match requested authentication method
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA