Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
I know how to create users via command line:
- Install
azure-cli - Run
az login(which is interactive) - Run
az ad user create --display-name <NAME> --password <PASS> --user-principal-name <PRINCIPAL>
Now I want to make it non-interactive.
I've found that if you want non-interactive login you can create a Service Principal and log in to it as explained here. However as I understand Service Principals have different sets of permissions than users, which are assigned by roles (AFAIK built-in are listed here). I've tried to create Service Principal with the highest (Owner) permissions, but it still cannot create users.
In AWS to solve analogous problem (log in non-interactively to AWS and create users in AWS IAM) you just log in non-interactively as a user:
- Create AWS Access key (for a user that has permissions to create IAM users)
- Install
aws-cli - Use
aws iam create-user --user-name <NAME>and pass Access key inAWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYvariables.
However I cannot find a way to non-interactively login to Azure as a user. I've found only how to log in non-interactively as a Service principal and I don't know how to give it permission to add Microsoft Entra ID users.
I have two questions:
- Is it possible to log non-interactively via azure-cli and act as a user, with exactly the same permissions as a user?
- Is it possible to give permissions to Service principal to create Microsoft Entra ID users? Can it be done with built-in roles, or does it require custom role?
Note that, Azure RBAC roles are different from Microsoft Entra roles. To create users, you need to either assign directory roles or Microsoft Graph permissions.
For non-interactive login to Azure CLI, you can make use of service principal authentication.
Initially, create one app registration and add User.ReadWrite.All permission of Application type by granting admin consent to it as below:
Now, create one client secret in above app registration and note it's value:
You can get App ID and Tenant ID values of application's Overview page:
To login to Azure CLI as service principal, make use of below command:
az login --service-principal -u <app-id> -p <client-secret> --tenant <tenantId>
Response:
As you already granted User.ReadWrite.All Application permission with admin consent to service principal, you can directly run below command to create user:
az ad user create --display-name <NAME> --password <PASS> --user-principal-name <PRINCIPAL>
Response:
Alternatively, you can also assign "Directory Writer" or "User Administrator" Microsoft Entra roles to service principal like this:
Go to Azure Portal -> Microsoft Entra ID -> Roles and administrators -> User administrator -> Add assignment -> Select service principal
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Create Azure TimerTrigger Durable Function in python
- Azure File Share: Cannot map network drive
- RBAC with bicep
- ADF expression to convert array to comma separated string
- How to get status of Azure machine learning service pipeline run using Rest Api?
- How do I deploy a Nuxt 3 solution to an Azure Node Web App
- Azure Blob Upload not working in ASP .Net Core Application
- How to clear a Cosmos DB database or delete all items using Azure portal
- Using script commands, how to add multiple scale rules to an Azure Container App?
- User Assigned Managed Identity: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId
- Generate resources dynamically from another group of dynamically generated resources in Terraform
- Column reordering in ADF
- Logic App AuthorizationFailure - vnet integration needed
- Azure blob, controlling filename on download
- Azure VNet peering with Private Link
- Get Private FQDNs, IPs, Names of the Private Endpoints for the Azure resources deployed in an Virtual Network using PowerShell Script
- How to configure appsettings on a auto-generated preview environment
- Using Azure DevOps, how do I migrate a release pipeline to code, similar to build pipeline yml?
- Root login Ubuntu VM on Azure
- Filtering azure devops release build based upon build tag with "Continuous deployment trigger"
- Azure WebApp autoscale
- How to handle long startup times in Azure App Service deployment
- Frontend not available when front and back on same Web App Azure
- Use Salesforce Connectors from Hosted Azure Logic App in VSCode?
- What is considered an ingestion request in Azure Data Explorer?
- Provisioning (SCIM) by Entra/Azure: Why can I not select the "groups" attribute in my attribute mapping?
- Azure function verbose trace logging to Application Insights
- Azure function app GraphServiceClient create list
- Cypress tests fail to run in parallel mode due to mismatched specs between different runs