Creating Service Principal for Azure CDN is failing with Tenant Permission Error

5
votes

I'm trying to add Azure CDN as a service account, in order to connect it to KeyVault.
Following the official guide and other suggestions such as Can't add Microsoft.Azure.Cdn service principal to Key Vault access policies

However this command: 

New-AzureRmADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"

is giving me this error:

New-AzureRmADServicePrincipal : When using this permission, the backing application of the service principal being created must in the local tenant.

Even after I've set the context to the correct tenant using Set-AzureRmContext -TenantId xxx.
any help is appreciated!

1
azureazure-active-directoryazure-cdn

1 Answers

4
votes

The error

When using this permission, the backing application of the service principal being created must in the local tenant.

is reported when you don't have sufficient permissions in AAD to add service principal for application defined in different tenant. This is case of e.g. normal user, who does not have any specific Azure Active Directory Role. With Global Administrator or Application Administrator (or possibly other roles) the command would succeed (please note that these are AAD Administrative Roles, not RBAC roles which are used for resources).

The same error could be reported by az cli call to create principal:

az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8