1

I'm working with an app registration that has a secret defined. Via PowerShell I am able to get the credential, but not the secret value. Function used is Get-AzADAppCredential This is expected behavior, no issue here.

To renew the secret I run two functions Remove-AzADAppCredential and New-AzADAppCredential.

I run these PowerShell cmdlets via a DevOps pipeline and use a service connection with permissions in Azure portal.

I noticed that, when we create a service connection from DevOps to Azure, the service principal gets the role Cloud application administrator automatically assigned. This role includes the permission "microsoft.directory/applications/credentials/update".

So the above (remove + new) should work, but it does not... DevOps returns an error:

Az.MSGraph.internal\Remove-AzADApplicationPassword : Insufficient privileges to complete the operation.

Az.MSGraph.internal\Add-AzADApplicationPassword : Insufficient privileges to complete the operation.

PS. Using Az.Resources version 5.4.0 when working with the PowerShell functions.

Anyone got any idea what I'm missing?

Thanks.

Dieter
  • 401
  • 1
  • 9
  • 31

2 Answers2

0

Insufficient privileges to complete the operation.

The error comes when the user doesn't have sufficient privileges in AAD and doesn't have Write permission for the selected Azure Subscription.

Note: If you have Cloud application administrator privileges of the user, this role grants the ability to manage application credentials. Users assigned this role can add credentials to an application and use those credentials to impersonate the application’s identity. If the application’s identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application.

Make sure to check once if you have Global Administrator Access. If you have the access you can able to Modify the secret.

enter image description here

Users who are assigned to the Global administrator role can read and modify every administrative setting in your Azure AD organization.

The permission issue may happen due to

  1. The user has only guest permission in the directory
  2. The user is not authorized to the add applications in the directory

Refer here for detailed information

Delliganesh Sevanesan
  • 4,146
  • 1
  • 5
  • 15
  • The DevOps service connection (service principal) will never be made Global Administrator on the tenant. The other information is what I had already added in my question. – Dieter Apr 28 '22 at 12:59
0

To be able to update a secret on an app registration, through DevOps, using a service principal, with minimal permissions, first make the service connection owner on that random app registration.

Next, add the Application.ReadWrite.OwnedBy application API permission on the app registration that's linked to the enterprise application. Not on the app registration where the service principal was made owner.

Than renewing the secret works fine.

It remains a question though why the role Cloud application administrator isn't sufficient because microsoft.directory/applications/credentials/update is included in that role, and that should also be enough.

Dieter
  • 401
  • 1
  • 9
  • 31
  • Same for making itself owner on an app registration. It has the permission 'microsoft.directory/applications/owners/update' in that 'Cloud application administrator' role. Yet it can't make itself (the service connection - service principal) owner on an app registration. – Dieter Apr 29 '22 at 09:23
  • The 'Cloud application administrator' role is assignable, but isn't assigned by default. No API permissions exist at the time of writing to work around this role. – Dieter May 11 '22 at 11:13