Azure - az aks cli azure ad error

Question

I have two different Azure Ad tenants

First one is foo

Second one is bar

and one subscription

Name is baz

Account administrator seems as foo at Management & Billing Overview service section.

When I change directory into bar from portal i can see baz at Other subscriptions from Cost Management & Billing.

When I execute command below at bar's shell, I can see that owner of the subscription is foo.

azure account show

When I execute command below I'm having error "directory permission is needed for the current user to register the application"

az aks create --resource-group myResourceGroup --name myAKSCluster --node-count 1 --generate-ssh-keys

So I wanna take everything to foo create my Azure Kubernetes Service. What should I have to do. Any ideas?

Could you please check your account's directory role in second Azure AD? — Jason Ye, Mar 14 '18 at 01:32
Yes. At foo it's checked to yes at bar most of the sections seems passive. — rfum, Mar 14 '18 at 08:51
It means you have not permissions, please contact that AAD administrator to change that settings. — Jason Ye, Mar 14 '18 at 08:53
What if I to move subscription from bar to foo. Would it solve my problem? Because my administrator is nearly sure for he gave the right permissions. — rfum, Mar 14 '18 at 09:33
No, move is not a good idea. Could you please check users in second AAD and find the global admin, change Azure AD directory role. — Jason Ye, Mar 14 '18 at 09:42
Could you please ask your admin to change `App registrations` settings or set your directory role as global admin? — Jason Ye, Mar 14 '18 at 09:44
I cannot see any user in bar directory also cannot add a new user only new guest user button seems active. — rfum, Mar 14 '18 at 09:46
and my administration says that he gave me the full access on this account. — rfum, Mar 14 '18 at 09:47

Jason Ye · Answer 1 · 2018-03-14T09:43:24.787

1

According to your error message, it seems your account doesn't have permissions in your second AAD tenant to create new application registrations.

Please check your account's directory role in second Azure AD(Global admin).

Also, if you can't set your account as Global admin, please check your AAD user settings -> App registrations, set to Yes , if set to Yes, non-admin users can register AD apps.

Hope this helps.

Update:

You can check AD role here(also your admin can change this settings):

edited Mar 14 '18 at 09:43

answered Mar 14 '18 at 01:57

Jason Ye

13,710
2
16
25

You can check your AD role here, I have update my answer, please check it. – Jason Ye Mar 14 '18 at 09:45
I don't have the section `Directory Role` at AAD.Here is how my portal looks like from bar directory. https://ibb.co/ivQSPc – rfum Mar 14 '18 at 10:18
uhh my bad. Now I can see only one user at foo which is the same as the ss you shared with me.But at bar there is no user exists.Here is ss of bar's user section from AAD https://ibb.co/fxOZnx – rfum Mar 14 '18 at 10:31
It seems you are the guest of that directory, could you please contact that directory admin to grant you permission? – Jason Ye Mar 15 '18 at 00:40
Could you use that telnet to create aks now? – Jason Ye Mar 16 '18 at 01:14
Still not... Seems no hope for my situation. I dunno what to try more... – rfum Mar 16 '18 at 04:44
You are a guest of that directory, maybe you should ask that admin add you to his subscription, in this way you will able to create SP and aks. – Jason Ye Mar 16 '18 at 08:29

Azure - az aks cli azure ad error

1 Answers1