Error when trying to create service connection in azure devops

Question

My requirement is to use Azure Devops services to create services connection, so I created an azure AD application in azure portal

In azure Devops project setting I created a new service connection but when I click on verify it throws me the error:

Failed to query service connection API "https://managemant.azure.com/sub/xxx?api-version=2016-06-01.status code:'status code:{"error",:{code""Authorization failed message" 'the client" with object id "does not have authorization to perform action 'microsoft.resource/sub/read,over scope'/sub/*** or scope is invalid.if access was recently granted.please refresh your credentials}}

The document I am referring to is https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#use-spn

Would appreciate any assistance on this

TIA

Answer 1

I tried to reproduce the same in my environment and got the same error as below:

To resolve the error, assign reader role/permission to the Azure AD Application on the subscription level like below:

Go to Azure Portal -> Subscriptions -> Select your Subscription -> Access control (IAM) -> Add role assignment

Verification is successful after assigning the role like below:

You can also assign contributor role based on your requirement.

Answer 2

According to the error message, you can try go to portal and find your subscription, click on Access Control (IAM) and then click on Add role assignment use the object id. And then try to create a new service connection to check if it works.

Answer 3

The Service Principal or Managed Identity currently you are using from Azure Devops does not have permission to create another service principal. You have to assign specific permissions for create a service principal on your Azure AD tenant. You may try providing "Application Developer" role to the ID which you are using to authenticate from Az Devops.

Please refer this MS link for reference: Permsissions