Azure - Creating Service Principal with Tenant Admin Permission

0
votes

I am trying to provision Azure AD Domain Service by executing an ARM template in terrafrom. To let terrafrom access Azure, I have created a service principal using below script :

az ad sp create-for-rbac --role="Owner" --scopes="/subscriptions/xxxxxxxx-xxxxxfca38"

and then gave the Client ID and Secret to terrafrom.

The problem is, when I execute the script azure gives me an error saying : 

code":"BadRequest", "message": "The user xxxxx-80b is not the tenant admin of tenant xxxxxx-xxxxxfca38.

However, when I login to Azure portal using my email and password, I can create AZ AD Domain Service without any error.

How do I create a service principal with right privilege for performing such operation? I initially thought --role="Owner" should be sufficient.

Alternatively, it is possible to get Client ID and Secret of the same account which I use to login to Azure portal?

P.S : I am using a personal account in azure which is not linked to any organization AD.

1
azureazure-active-directory
right, you need Owner permission on the subscription and permission to create applications in Azure AD. I've never personally seen this error, so wouldn't be able to tell why it is being thrown or how to workaround this, but consider checking if you actually are an owner on that subscription, or grant yourself User Access Administrator permissions over the subscription4c74356b41

1 Answers

1
votes

I have no personal account with a subscription to test. Just refer to the steps below to have a try.

I am using a personal account in azure which is not linked to any organization AD.

When you login to the azure portal, actually there is a default directory, but if you create the AD App in the Azure AD directly, you can not select the single-tenant app.

1.Navigate to the Azure AD in the portal -> Create a directory(we don't use the directory later, just becasuse the operation will let the Default Directory to appear).

enter image description here

When you create the directory successfully, close the browser(not refresh) and open a new one, login to the portal, click the button as below, you will find the Default Directory.

enter image description here

2.Navigate to the subscription in the portal -> check the Directory, then you will know which directory your subscription is located, also make sure My role is Owner or User Access Administrator, otherwise, you will not be able to run the command az ad sp create-for-rbac --role="Owner" --scopes="/subscriptions/xxxxxxxx-xxxxxfca38" successfully.

enter image description here

3.If your subscription is in the Default directory, you can navigate to the Azure AD -> Properties -> set Access management for Azure resources to Yes, then you will be the User Access Administrator.(If you are already be the Owner or User Access Administrator, ignore this step.)

4.Then login the Azure CLI with the command below, specify the tenant with the tenant ID, which the subscription located in.

az login --tenant <tenant>

5.Run the command az ad sp create-for-rbac --role="Owner" --scopes="/subscriptions/xxxxxxxx-xxxxxfca38", it should work.