Azure - add IAM Role Assignment with no AAD permissions with Azure CLI

Problem

You are a guest in AAD and have no permissions to use UI or search AAD and need to add a service principal to a role to a resource (in my case ADLS Gen2).

Solution

  1. Get object id of your service principal (Azure Portal shows a wrong one.)
az ad sp list --display-name <prefix or name>

Returns a json where you’ll find (autogenerated):

{
    "objectId": "f1becf03-c150-49d5-8d5d-b84955bc56e6"
}
  1. Run assignment command

In this case I’m granting “Storage Blob Data Contributor” to entire ADLS resource. You can assign per container by changing --scope to go deeper.

Storage Scope:

az role assignment create --role "Storage Blob Data Contributor" --scope /subscriptions/.../resourceGroups/.../providers/Microsoft.Storage/storageAccounts/... --assignee-principal-type ServicePrincipal --assignee-object-id f1becf03-c150-49d5-8d5d-b84955bc56e6

Container Scope:

az role assignment create --role "Storage Blob Data Contributor" --scope /subscriptions/.../resourceGroups/.../providers/Microsoft.Storage/storageAccounts/.../blobServices/default/containers/container_name --assignee-principal-type ServicePrincipal --assignee-object-id f1becf03-c150-49d5-8d5d-b84955bc56e6

P.S. Note the syntax for the container - blobServices/default/containers/container_name!

Have a question⁉ Contact me.