How to Test IAM Roles for an App Registration

Question

I'm troubleshooting an issue where an app registration is unable to query the subscriptions within an Azure tenant, despite a role assignment granting it access at the tenant root group level. Wondering if there's a straightforward method to run the relevant command, either through CLI or the web interface, to validate this behavior.

Specific test command is: az account management-group list

But I don't see any way to invoke that as a particular user or app, and I already know my own user account has the right permissions, and can run that command. Any suggestions would be appreciated.

Answer 1

Initially, fetch your service principal's ObjectID that can be found in Enterprise Applications like this:

To check the IAM roles assigned for that app registration, you can make use of below CLI Command by passing above ObjectID like this:

principalId="SPObjectID"
az role assignment list --all --query "[?principalId=='$principalId'].{RoleName:roleDefinitionName,Scope:scope, PrincipalID:principalId, PrincipalName:'$(az ad sp show --id $principalId --query displayName -o tsv)'}" --output table

Response:

As @KonTheCat suggested, you can login as service principal and connect to Azure by running below CLI command:

az login --service-principal -u "appID" -p "client_secret" --tenant "tenant.onmicrosoft.com"

Response:

When I ran below CLI command now, I got the response with list of subscriptions successfully like this:

az account subscription list

Response: