SPARK utilizes a User Assigned Managed Identity (UAMI). This reduces the overall attack surface of SPARK as it eliminates the requirements to store secrets/keys within the SPARK application. User Assigned Managed Identities are the recommended managed identity type for Microsoft services.
Requirements
The Azure Administrator will be required for this step. The user must have:
- Global Administrator role
- Owner role for the resource group
- Access to the Azure Portal
- Ability to run PnP.PowerShell scripts
Reference Link - What is managed identities for Azure resources?
[!NOTE] The required permissions for the PnP.PowerShell script will require at a minimum:
- AppRoleAssignment.ReadWrite.All
- Application.Read.All
[!NOTE] If running Azure Cloud Shell, or any shell that doesn’t have a GUI, then reference the link below if you are unable to connect to PnP.
Reference Link - [BUG] Unable to connect to PNP with CloudShell
Step 1: Sign into Azure
Use the correct URL for your environment:
| Environment | Login URL |
|---|---|
| Worldwide (Commercial) | https://portal.azure.com |
| GCC | https://portal.azure.com |
| GCC High | https://portal.azure.us |
| DoD | https://portal.azure.us |
Step 2: Create User Assigned Managed Identity
- From the top search bar, enter Managed Identities and select it from the search results
2. Click on Create and then set the properties shown in the table
| Name | Value |
|---|---|
| Subscription | The subscription associated with the resource group |
| Resource Group | The resource group created in step 4 |
| Name | uami-spark-spoactions |
| Region | The resource group used in step 4 |
3. Click Review + create
4. Click Create to create the user assigned managed identity
5. Wait for the user assigned managed identity resource is created, and then select Go to resource
[!NOTE] Annotate the following variables in the template spreadsheet:
- v_uamiName: The uami name
- UAMI objId: The uami object id
Step 3: Configure User Assigned Managed Identity Graph Permissions
- Modify the script below with the following parameters
- Open PowerShell v7.2+ and run the script shown below
| Name | Value |
|---|---|
| Certificate | The certificate thumbprint associated with the app registration that is used for PnP.PowerShell |
| Client ID | The app registration id that is used for PnP.PowerShell |
| SPO Admin Url | The SharePoint Admin center url |
| Tenant Environment | The environment containing the tenant: USGovernment USGovernmentHigh USGovernmentDoD |
| Tenant ID | The tenant id |
| UAMI Object ID | The UAMI object id found in step 1 |
[!NOTE] The required permissions for the PnP.PowerShell script will require at a minimum:
- AppRoleAssignment.ReadWrite.All
- Application.Read.All
powershell
Set the UAMI object id
$objectId = “
Connection for Commercial and GCC
#Connect-PnPOnline -Url
Connection for GCC-High and DoD
Connect-PnPOnline -Url
Principal is Object Id of the System Assigned MI
Add-PnPAzureADServicePrincipalAppRole -Principal $objectId -AppRole “Sites.FullControl.All” -BuiltInType SharePointOnline
#Graph SharePoint Site.FullControl.All Add-PnPAzureADServicePrincipalAppRole -Principal $objectId -AppRole “Sites.FullControl.All” -BuiltInType MicrosoftGraph
Grant Directory.Read.All
Add-PnPAzureADServicePrincipalAppRole -Principal $objectId -AppRole “Directory.Read.All” -BuiltInType MicrosoftGraph
Grant Group.Read.All
Add-PnPAzureADServicePrincipalAppRole -Principal $objectId -AppRole “Group.Read.All” -BuiltInType MicrosoftGraph
Grant User.Read.All
Add-PnPAzureADServicePrincipalAppRole -Principal $objectId -AppRole “User.Read.All” -BuiltInType MicrosoftGraph
Disconnect from PnP
Disconnect-PnPOnline
[!NOTE] The sample Connect-PnPOnline connection string within the script above is not the only method of completing this step. Alternative methods are available and may be used if already configured within the local organization.
Step 4: Configure User Assigned Managed Identity RBAC
- Select Azure role assignments from the left navigation
- Click on + Add role assignment
- Add the role assignments shown below in the table
- Click Save to add the role assignment
| Name | Value |
|---|---|
| Scope | Resource Group |
| Subscription | The subscription associated with the resource group |
| Resource Group | The resource group created in step 4 |
| Role | Storage Blob Data Contributor Automation Operator |
[!NOTE] This step will configure the permissions for the storage account used by SQL and the runbooks that will be provisioned later on. This may take several minutes to be added to the uami.
5. Click on Refresh and validate the role assignements were added
