Revert default role assignment for New-AzureRmADServicePrincipal #6272
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…te help with examples
cormacpayne
force-pushed
the
update-new-sp
branch
from
87d1902 to
0acb1cf
Compare
cormacpayne
changed the title
darshanhs90
reviewed
May 23, 2018
| * Revert change to `New-AzureRmADServicePrincipal` that gave service principals "Contributor" permissions over the current subscription if no values were provided for the `Role` or `Scope` parameters | ||
| - If no values are provided for `Role` or `Scope`, the service principal is created with no permissions | ||
| - If a `Role` is provided, but no `Scope`, the service principal is created with the specified `Role` permissions over the current subscription | ||
| - If a `Scope` is provided, but no `Contributor`, the service principal is created with `Contributor` permissions over the specified `Scope` |
There was a problem hiding this comment.
Contributor [](start = 40, length = 11)
role
markcowl
reviewed
May 23, 2018
|
@darshanhs90 Because that is our best guess at what the user would want in this case - since no previous versions of the cmdlet have role or scope as a parameter, there is no chance of an existing script hitting unexpected behavior in this case, as they have to provide at least 'Scope' |
twitchax
previously approved these changes
May 23, 2018
|
@darshanhs90, the new behavior is meant to match the Azure CLI behavior, so the default Role is Contributor, as it is in CLI. |
|
@darshanhs90 @markcowl comments addressed and tests added |
…te-new-sp # Conflicts: # src/Stack.sln
darshanhs90
reviewed
May 24, 2018
ChangeLog.md
Outdated
| * Revert change to `New-AzureRmADServicePrincipal` that gave service principals `Contributor` permissions over the current subscription if no values were provided for the `Role` or `Scope` parameters | ||
| - If no values are provided for `Role` or `Scope`, the service principal is created with no permissions | ||
| - If a `Role` is provided, but no `Scope`, the service principal is created with the specified `Role` permissions over the current subscription | ||
| - If a `Scope` is provided, but no `Scope`, the service principal is created with `Contributor` permissions over the specified `Scope` |
There was a problem hiding this comment.
@darshanhs90 oops, thanks. Fixed this in all occurrences.
darshanhs90
reviewed
May 24, 2018
| * Revert change to `New-AzureRmADServicePrincipal` that gave service principals `Contributor` permissions over the current subscription if no values were provided for the `Role` or `Scope` parameters | ||
| - If no values are provided for `Role` or `Scope`, the service principal is created with no permissions | ||
| - If a `Role` is provided, but no `Scope`, the service principal is created with the specified `Role` permissions over the current subscription | ||
| - If a `Scope` is provided, but no `Scope`, the service principal is created with `Contributor` permissions over the specified `Scope` |
darshanhs90
reviewed
May 24, 2018
tools/AzureRM/AzureRM.psd1
Outdated
| * Revert change to `New-AzureRmADServicePrincipal` that gave service principals `Contributor` permissions over the current subscription if no values were provided for the `Role` or `Scope` parameters | ||
| - If no values are provided for `Role` or `Scope`, the service principal is created with no permissions | ||
| - If a `Role` is provided, but no `Scope`, the service principal is created with the specified `Role` permissions over the current subscription | ||
| - If a `Scope` is provided, but no `Scope`, the service principal is created with `Contributor` permissions over the specified `Scope` |
darshanhs90
reviewed
May 24, 2018
| #> | ||
| function Test-NewADServicePrincipalWithReaderRole | ||
| { | ||
| # Setup |
There was a problem hiding this comment.
can we add another test where in we dont specify any role or scope and make sure that no roleassignment change happens before and after running the command
There was a problem hiding this comment.
@darshanhs90 added a check in Test-NewADServicePrincipalWithoutApp that no role assignment was created for the new service principal
markcowl
approved these changes
May 25, 2018
twitchax
approved these changes
May 25, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
New-AzureRmADServicePrincipalthat gave "Contributor" permissions to the current subscription by default ifRoleandScopeparameters weren't provided. The behavior now goes back to before the 6.0.0 release where no permissions are assigned to the service principal ifRoleandScopearen't provided, but use the values provided (or default values) if one (or both) of the parameters are provided.New-AzureRmADServicePrincipalto reflect these changes, as well as update the descriptions for the cmdlet and the affected parametersChecklist
CONTRIBUTING.mdplatyPSmodule