Owner level Service Principal permission not working for Azure Active Directory

Question

I am attempting to automate the registration of a new application in Azure Active Directory. Upon running the command in Azure CLI, it returns with the following error:

Insufficient privileges to complete the operation.

The command was run using a Service Principal which has Owner permissions at the Subscription level. When attempting to run other Azure AD commands (e.g. az ad app list), the same error is thrown. However, it works fine if we run commands relating to Azure API Manager (e.g. az apim list).

We have tried creating the Service Principal using both the Azure console (https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) and CLI by running the following command but neither works.

az ad sp create-for-rbac --role Owner --name some-service-principal

Is there anything else required to perform this operation?

juunas juunas · Accepted Answer · 2019-12-02T08:42:44

The Owner role you mention is part of Azure RBAC, which does not apply to Azure AD. The Azure AD tenant is above the Azure subscriptions and has its own permissions.

You need to give the SP application permissions to MS Graph API / AAD Graph API (not sure which one the CLI is trying to use), or a directory role. The first you give through API permissions on the app registration for the SP. A directory role can be added through the Roles and administrators tab.

Owner level Service Principal permission not working for Azure Active Directory

2 Answers