I need to add a ReplyUrl to an AAD application using a Service Principal using Azure CLI, but I am getting an error "Insufficient privileges to complete the operation". I originally tried this from Azure DevOps, but have now reproduced it from just CLI.
I started using DevOps and a service principal created when I connected the Target AAD tenant to my DevOps organisation. I have granted API permissions Microsoft.Graph.Application.ReadWrite.All to the service principal and granted admin consent. I have generated a new ClientSecret and used that to logon to the tenant using the CLI. When I run the command to update the reply urls, that's when I get the insufficient privileges error described above.
If I run the CLI command from Cloud Shell bash it works fine.
az login --service-principal -u xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx -p xxxxxxxxxxxxx --tenant xxxxxxxxxx
[
{
"cloudName": "AzureCloud",
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"isDefault": true,
"name": "Windows Azure MSDN - Visual Studio Ultimate",
"state": "Enabled",
"tenantId": "xxxxxxxxxxxxxxxxxxx",
"user": {
"name": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"type": "servicePrincipal"
}
}
]
then
az ad app update --id xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --reply-urls https://localhost:44381/
Insufficient privileges to complete the operation.
If I run the az ad app update command from cloud shell it works fine.
If I try to use the service principal created by DevOps then I get the error.
I just created a clean new principal outside of DevOps (az ad app create-for-rbac) and then manually added the Application.ReadWrite.All permission and consented to that - and that gives me the same error too!
Application API Permissions and Consent
I have looked at the similar questions - but the closest one had an answer where we need to give the right permissions and grant consent as the answer - which I have already done.