{"id":3577,"date":"2021-04-25T15:23:52","date_gmt":"2021-04-25T14:23:52","guid":{"rendered":"https:\/\/www.lieben.nu\/liebensraum\/?p=3577"},"modified":"2021-04-25T15:23:52","modified_gmt":"2021-04-25T14:23:52","slug":"deploying-a-service-principal-to-csp-child-tenants","status":"publish","type":"post","link":"https:\/\/lieben.nu\/liebensraum\/2021\/04\/deploying-a-service-principal-to-csp-child-tenants\/","title":{"rendered":"Deploying a service principal to (CSP) child tenants"},"content":{"rendered":"\n
\"\"<\/a><\/figure>\n\n\n\n

Cloud Solution Providers, or sometimes other types of Managed Service Providers often have to manage a large number of tenants. Ideally, they do their ‘Infrastructure As Code’.<\/p>\n\n\n\n

Using various API’s to manage tenants is best done using a Service Principal instead of a user (MFA, lifecycle, etc). <\/p>\n\n\n\n

Recently, I was tasked to provide a deployment method of a Service Principal (multi-tenant) to all child tenants of an MSP, including programmatically granting various Graph API permissions. The Graph endpoint for this (oauth2PermissionGrants) is still in Beta, but the other methods I wrote about in the past <\/a>are not as reliable so we’re using the Beta endpoint.<\/p>\n\n\n\n

The linked example script creates an SPN and grants AuditLog.Read.All. If you’re an MSP\/CSP, you’ll probably want to capture the tenant ID’s you’re installing into, so you can easily administer these tenants centrally using your main multi-tenant SPN.<\/p>\n\n\n\n

Moving forwards, you won’t need an admin user \/ service account in the tenants you manage anymore, at least for the API’s that support SPN’s.<\/p>\n\n\n\n

https:\/\/gitlab.com\/Lieben\/assortedFunctions\/-\/blob\/master\/add-servicePrincipalToAllCSPChildTenants.ps1<\/a><\/p>\n\n\n\n

Note: to completely remove module dependencies \/ login, check my independent token function.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Cloud Solution Providers, or sometimes other types of Managed Service Providers often have to manage a large number of tenants. Ideally, they do their ‘Infrastructure As Code’. Using various API’s to manage tenants is best done using a Service Principal instead of a user (MFA, lifecycle, etc). Recently, I was tasked to provide a deployment … Continue reading Deploying a service principal to (CSP) child tenants<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[4,7,9,39],"tags":[],"class_list":["post-3577","post","type-post","status-publish","format-standard","hentry","category-automation","category-azuread","category-csp","category-powershell"],"_links":{"self":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts\/3577","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/comments?post=3577"}],"version-history":[{"count":0,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts\/3577\/revisions"}],"wp:attachment":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/media?parent=3577"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/categories?post=3577"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/tags?post=3577"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}