View service principal assignments (permissions) in Azure

Published February 1, 2021 in azure.

At work we recently moved our DNS hosting to Azure DNS in order to simplify our hosting and benefiting from existing RBAC in Azure AD.
One benefit of the move is that we could generate limited API keys for clients to be able to use ACME DNS-01 challenge for certificate validation.

We have been using acme.sh and it has documentation how to create a limited service principal for DNS-01 validation.

This works really well but what if you want to view the permission the service principal has?

The enterprise application blade in Azure AD does not list what resources the application (service principal) has but if you go to each resource IAM page you can see if the service principal has access.

However in Azure CLI can list out what the service principal has access to.

First find the appId of the service principal you want to check (in my case AcmeDnsValidator):

az ad sp list --filter "displayname eq 'AcmeDnsValidator'"
[
  {
    ...
    "appId": "11111111-1111-1111-1111-111111111111",
    "displayName": "AcmeDnsValidator"
	...
  }
]

Then you can use find the role assignment (permission) of the service principal:

az role assignment list --all --assignee 11111111-1111-1111-1111-111111111111
[
  {
	...
	"id": "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-resourcegroupname/providers/Microsoft.Network/dnszones/example.com/providers/Microsoft.Authorization/roleAssignments/44444444-4444-4444-4444-444444444444",
	...
	"roleDefinitionId": "/subscriptions/22222222-2222-2222-2222-222222222222/providers/Microsoft.Authorization/roleDefinitions/55555555-5555-5555-5555-555555555555",
    "roleDefinitionName": "DNS TXT Contributor"
  }
]

Here you can see this service principal has access to DNS zone example.com in resource group rg-resourcegroupname using the role defined ‘DNS TXT Contributor’.

To view the role definition you use:

az role definition list --name "DNS TXT Contributor"
[
  {
    "assignableScopes": [
      "/subscriptions/22222222-2222-2222-2222-222222222222"
    ],
    "description": "Can manage DNS TXT records only.",
    "id": "/subscriptions/22222222-2222-2222-2222-222222222222/providers/Microsoft.Authorization/roleDefinitions/55555555-5555-5555-5555-555555555555",
    "name": "55555555-5555-5555-5555-555555555555",
    "permissions": [
      {
        "actions": [
          "Microsoft.Network/dnsZones/TXT/*",
          "Microsoft.Network/dnsZones/read",
          "Microsoft.Authorization/*/read",
          "Microsoft.Insights/alertRules/*",
          "Microsoft.ResourceHealth/availabilityStatuses/read",
          "Microsoft.Resources/deployments/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read"
        ],
        "dataActions": [],
        "notActions": [],
        "notDataActions": []
      }
    ],
    "roleName": "DNS TXT Contributor",
    "roleType": "CustomRole",
    "type": "Microsoft.Authorization/roleDefinitions"
  }
]