Azure DevOps, unable to create pipeline due to insufficient AD permission

0
votes

I am trying to create a new pipeline in AzureDevOps. In the configure tab I choose Deploy to Azure Kubernetes Service and select the appropriate values such as Cluster name, namespace, and etc..

When I click next, azure Devops tries to validate and create the pipeline but then it displays the following error :

Failed to create an app in Azure Active Directory. Error: Insufficient privileges to complete the operation. Ensure that the user has permissions to create an Azure Active Directory Application. enter image description here

The error is self-explanatory and It seems like it tries to create an AD App behind the scene but the user doesn't have permission to do so.

After doing some research I have been lead to belive there are two ways to allow my user to be able to create such pipeline: (but maybe I am wrong)

  1. In the user settings tab of AD Directory, enable the flag that says: "Users can register applications". This option does not work for me, since it then enable everyone to be able to create apps, and that's not what I want.
  1. Allow my users to be able access Azure Active Directory. I believe if I be able to access The Azure Active Directory, I will be able to create App, however this option is also not possible due to the legal restriction for accessing Azure Active Directory.

Is there a way I can create pipeline in AzureDevOps without having to go through the two options I have described?

2
azureazure-devopsazure-active-directory
You might the need to Application Developer role to register an app. Please check below solution.Levi Lu-MSFT

2 Answers

2
votes

Above error occurs when the user doesnot have the sufficient privileges to create an application in Azure AD. See here.

If you donot want to change Users can register applications to Yes, which allows any user in the Azure AD tenant can register an app. You will need to ask your administrator to assign you a proper administrator role that can create and manage all aspects of app registrations.

For example Application Developer role. See available roles and role permissions.

Users in this role can create application registrations when the "Users can register applications" setting is set to No.

Another workaround is to Create the service principal with the user already having required permissions in Azure Active Directory. In this way, you will have to configure the pipeline manually without using the Deploy to Azure Kubernetes Service pipeline template.

1,First you will need to create below service connections:

Create Azure container Registry service connection using the service principal.

Create Kubernetes service connection.

2, When creating a new pipeline, you need to select Starter pipeline in Configure your pipepline page. And then add the docker and kubernete tasks in your yaml pipeline. See the example Build and push to Azure Container Registry, Deploy to Kubernetes.

You can refer to below pipeline example, and change the variables and settings accordingly.

trigger:
- master

resources:
- repo: self

variables:

  dockerRegistryServiceConnection: 'ACRserviceConnectionName'
  kubernetesServiceConnection: "kubernetesServiceConnectionName"
  imageRepository: 'nigx'
  containerRegistry: 'leviregistry.azurecr.io'
  dockerfilePath: '**/Dockerfile'
  tag: '$(Build.BuildId)'
  imagePullSecret: 'leviregistry8720a6c7-auth'

  # Agent VM image name
  vmImageName: 'ubuntu-latest'
  

stages:
- stage: Build
  displayName: Build stage
  jobs:  
  - job: Build
    displayName: Build
    pool:
      vmImage: $(vmImageName)
    steps:
    - task: Docker@2
      displayName: Build and push an image to container registry
      inputs:
        command: buildAndPush
        repository: $(imageRepository)
        dockerfile: $(dockerfilePath)
        containerRegistry: $(dockerRegistryServiceConnection)
        tags: |
          $(tag)
          
    - upload: manifests
      artifact: manifests

- stage: Deploy
  displayName: Deploy stage
  dependsOn: Build

  jobs:
  - deployment: Deploy
    displayName: Deploy
    pool:
      vmImage: $(vmImageName)
    strategy:
      runOnce:
        deploy:
          steps:
          - task: KubernetesManifest@0
            displayName: Create imagePullSecret
            inputs:
              action: createSecret
              secretName: $(imagePullSecret)
              kubernetesServiceConnection: $(kubernetesServiceConnection)
              dockerRegistryEndpoint: $(dockerRegistryServiceConnection)
              
          - task: KubernetesManifest@0
            displayName: Deploy to Kubernetes cluster
            inputs:
              action: deploy
              kubernetesServiceConnection: $(kubernetesServiceConnection)
              manifests: |
                $(Pipeline.Workspace)/manifests/deployment.yml
                $(Pipeline.Workspace)/manifests/service.yml
              imagePullSecrets: |
                $(imagePullSecret)
              containers: |
                $(containerRegistry)/$(imageRepository):$(tag)
0
votes

What about creating a Service Principal with an existing user who already has the required AAD permission. And then Team can continue using the Service Principal account for managing Azure Resources.

Also, I see the similar thread over here: Failed to create an app in Azure Active Directory. Error: Insufficient privileges to complete the operation