Skip to content

The Application Administrator Identity

Purpose

This identity's credentials are stored in the core key vault and are used when you wish to update AAD Applications. For instance, when you add Guacamole as a Workspace Service, you would need to add the URI of the Guacamole Service as a Redirect URI to the Workspace App to complete the login flow.

Application Roles

This application does not have any roles defined.

Microsoft Graph Permissions

Name Type* Admin consent required TRE usage
Application.ReadWrite.OwnedBy Application Yes This user has Application.ReadWrite.OwnedBy as a minimum permission for it to function. If the tenant is managed by a customer administrator, then this user must be added to the Owners of every workspace that is created. This will allow TRE to manage the AAD Application. This will be a manual process for the Tenant Admin.
Application.ReadWrite.All Application Yes This permission is required to create workspace applications and administer any applications in the tenant. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. There will be no need for the Tenant Admin to manually create workspace applications in the Tenant.
Directory.Read.All Application Yes This permission is required to read User details from Azure Active Directory. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE.
Group.ReadWrite.All Application Yes This permission is required to create and update Azure AD groups. This is requried if Azure AD groups are to be created automatically by the TRE.

'*' See the difference between delegated and application permission types. See Microsoft Graph permissions reference for more details.

Clients

This user is currently only used from the Porter bundles hosted on the Resource Processor Virtual Machine Scale Set.

How to create

./devops/scripts/aad/create_application_administrator.sh \
--name "${TRE_ID}" --admin-consent --application-permission "${APPLICATION_PERMISSION}"
Argument Description
--name This is used to put a friendly name to the Application that can be seen in the portal. It is typical to use the name of your TRE instance.
--admin-consent If you have the appropriate permission to grant admin consent, then pass in this argument. If you do not, you will have to ask an AAD Admin to consent after you have created the identity. Consent is required for this permission.
--application-permission This is a comma seperated list of the permissions that need to be assigned. For exampler Application.ReadWrite.All,Directory.Read.All,Group.ReadWrite.All
--reset-password Optional, default is 0. When run in a headless fashion, 1 is passed in to always reset the password.

Environment Variables

Variable Description Location
APPLICATION_ADMIN_CLIENT_ID The Client Id ./config.yaml
APPLICATION_ADMIN_CLIENT_SECRET The client secret ./config.yaml