SPN - razmipatel/Random GitHub Wiki

To retrieve creation dates for all Azure resources via API using a service principal, you will need to assign appropriate permissions that allow the principal to query resource metadata. Here's a summary of whatโ€™s required:

๐Ÿ”‘ Recommended Permissions for the Service Principal

  1. Azure Role-Based Access Control (RBAC) At a minimum, assign one of the following roles at the subscription or management group level, depending on scope:

Reader

Scope: Least privilege; sufficient for read-only access to metadata.

Provides access to view resource properties including creation time, if available in the createdTime metadata.

Resource Graph Contributor (Optional but recommended)

Scope: Enables querying across subscriptions using Azure Resource Graph (ARG).

Helpful if you plan to run queries like:

kusto Copy Edit Resources | project name, type, resourceGroup, subscriptionId, tags, createdTime 2. Microsoft Graph or Azure Resource Manager API Permissions If you're querying via Azure CLI, PowerShell, or SDKs, ensure:

The app registration (i.e., service principal) has:

API permissions for:

https://management.azure.com/ โ€“ delegated or application access depending on how the token is used.

For service principal: use application permissions.

Token should be acquired with scope: https://management.azure.com/.default.

๐Ÿ”’ Least Privilege Principle Stick to Reader unless other roles are required. Avoid Contributor or Owner roles unless necessary.

โœ… Steps to Grant Access Create or use an existing service principal.

Assign Reader role at subscription/resource group level using:

bash Copy Edit az role assignment create --assignee --role Reader --scope /subscriptions/ (Optional) Assign Resource Graph Contributor if querying across multiple subscriptions:

bash Copy Edit az role assignment create --assignee --role "Resource Graph Contributor" --scope /subscriptions/ Grant permission to Resource Graph via Azure Portal or manifest if needed.

โš ๏ธ Important Notes Creation time is not always explicitly stored as a property for every resource. Some resource types expose it via createdTime, others may require inference (e.g., via Activity Logs).

Azure Resource Graph is generally the most scalable method to retrieve this info programmatically across large estates.

Would you like a sample Resource Graph query or automation script to use with the service principal?

โš ๏ธ **GitHub.com Fallback** โš ๏ธ