0

I'm a Microsoft employee and I'm new to Azure. I would like to deploy a Service Principal on my internal Microsoft Azure subscription. Using the Azure CLI, when I run

az ad sp create-for-rbac --name $spn_name

I get the error "Insufficient privileges to complete the operation." The documentation here (https://learn.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest) makes it seem like I don't have Azure Active Directory configured properly.

I don't have Azure Active Directory on my internal subscription. Do I need to add this? If so, how can I set this up on my Microsoft internal account? Is there a way to create a Service Principal without Azure Active Directory?

bab689
  • 199
  • 1
  • 12

3 Answers3

0

Normal user without Admin roles also will be able to create a service principle even with Azure CLI. If the scenario is that you are creating a service principle from an application then you need application permissions. Please go through similar question which helps in fixing your issue.

Hari Krishna
  • 2,372
  • 2
  • 11
  • 24
  • Having to involve global admins for something like creating a service principal for an Azure DevOps service connection is such major PITA - I wish there was some way to create a subscription-local identity/service principal – Cocowalla Aug 31 '20 at 13:53
  • Hi @Cocowalla,I don't have idea on devops scenario but please go through my updated answer. – Hari Krishna Sep 01 '20 at 11:05
  • The question you linked to is about assigning permissions to a service principal, rather than what permissions developers need to create the service principal in the first place? – Cocowalla Sep 01 '20 at 12:55
  • ForUser level, there is no permissions needed.Admin should enable user can register an app as mentioned by Carl Zhao – Hari Krishna Sep 01 '20 at 12:57
  • Yes, but "user can register an app" *is* a permission! And the problem is that it's enabled for everyone or no one, so enterprises don't like to use it – Cocowalla Sep 01 '20 at 14:05
  • I agree, but this error is commonly shown for roles and API permissions. – Hari Krishna Sep 01 '20 at 15:08
0

Does not require you to have administrator permissions.

If your account's User type is just a Member in the tenant. Make sure in the portal -> AAD -> User settings -> Users can register applications is Yes.

enter image description here

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • Unfortunately this is a rather blunt instrument, so many organisations will not enable this – Cocowalla Sep 01 '20 at 12:52
  • @Cocowalla This is a must! – Carl Zhao Sep 02 '20 at 01:47
  • @Cocowalla If my answer is helpful for you, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in.). See https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work This can be beneficial to other community members. Thank you. – Carl Zhao Sep 04 '20 at 09:13
  • 1
    @Cocowalla If you have any questions, please feel free to ask me, I will answer you as soon as possible. – Carl Zhao Sep 04 '20 at 09:15
  • I'm not the OP, I'm just some random having a rant about how *horribly* inconvenient Azure's permissions model is for access to create/edit AAD app registrations/principals :) – Cocowalla Sep 04 '20 at 09:20
  • @Cocowalla Oh, sorry :). – Carl Zhao Sep 04 '20 at 10:12
0

It seems that the issue was that my SP name was not unique. Changing the name solved this problem for me.

bab689
  • 199
  • 1
  • 12