1
votes

I need to add a ReplyUrl to an AAD application using a Service Principal using Azure CLI, but I am getting an error "Insufficient privileges to complete the operation". I originally tried this from Azure DevOps, but have now reproduced it from just CLI.

I started using DevOps and a service principal created when I connected the Target AAD tenant to my DevOps organisation. I have granted API permissions Microsoft.Graph.Application.ReadWrite.All to the service principal and granted admin consent. I have generated a new ClientSecret and used that to logon to the tenant using the CLI. When I run the command to update the reply urls, that's when I get the insufficient privileges error described above.

If I run the CLI command from Cloud Shell bash it works fine.

az login --service-principal -u xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx -p xxxxxxxxxxxxx --tenant xxxxxxxxxx 

[
  {
    "cloudName": "AzureCloud",
    "id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "isDefault": true,
    "name": "Windows Azure MSDN - Visual Studio Ultimate",
    "state": "Enabled",
    "tenantId": "xxxxxxxxxxxxxxxxxxx",
    "user": {
      "name": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "type": "servicePrincipal"
    }
  }
]

then

az ad app update --id xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  --reply-urls https://localhost:44381/ 

Insufficient privileges to complete the operation. 

If I run the az ad app update command from cloud shell it works fine.
If I try to use the service principal created by DevOps then I get the error.

I just created a clean new principal outside of DevOps (az ad app create-for-rbac) and then manually added the Application.ReadWrite.All permission and consented to that - and that gives me the same error too!

Application API Permissions and Consent

I have looked at the similar questions - but the closest one had an answer where we need to give the right permissions and grant consent as the answer - which I have already done.

1
If my answer is helpful, please accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in). Thank you.Tony Ju

1 Answers

0
votes

You have granted the wrong permissions. Azure CLI uses AAD Graph endpoint, so you need to grant Azure AD Graph API permissions to the service principal, not Microsoft Graph API permission.

What you need is Application.ReadWrite.All permission(Azure AD Graph).

enter image description here

Note: Browser caching in the portal made it appear as if the reply urls were not updated. Just open the portal again, you will see the update.