Reputation: 1526
So here is the thing. I have a bunch of scripts that during the initial environment setup create an app registration in Azure, its ServicePrincipal, and finally sets a certificate as a key. Everything works just fine while I'm logged in as a user with Global Admin role.
Now, for the sake of automation, I need to do the same but using a ServicePrincipal rather than my user's account. The idea is to use it to create/delete app registrations and rotate their keys. Consider it some sort of master SP. So I've created one, and granted it next permissions -
Microsoft Graph - Application Permission: "Read directory data"
Microsoft Graph - Application Permission: "Read and write directory data"
Windows Azure Active Directory - Application Permission: "Read directory data"
Windows Azure Active Directory - Application Permission: "Read and write directory data"
The SP has been assigned with Owner role for a given subscription.
My automation script executes next commands -
Get-AzureRmADApplication
New-AzureRmADApplication
New-AzureRmADAppCredential
New-AzureRmADServicePrincipal
Powershell version is 5.1
AzureRM.Resources module version is 6.1.0
Here is the way I set the account in the script -
$secpasswd = ConvertTo-SecureString "Master_SP_Password" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("Master_SP_AppId", $secpasswd)
Add-AzureRMAccount -ServicePrincipal -Tenant "***" -Subscription "***" -Credential $creds
Select-AzureRMSubscription -SubscriptionId *** -TenantId ***
And here is what I'm getting right now -
Any suggestions? Thanks!
Upvotes: 2
Views: 1945
Reputation: 889
The error you're getting
Resource not found for the segment 'me'
is because when you get an insufficient privileges request the graph API navigates to the /me
endpoint on the Graph API however Service Principals do not have this endpoint available to them.
As for the the
Insufficient privileges to complete the operation
problem. I have a Service Principal with permission to create Applications. The permission you're looking for is on the Graph API Permission blade is
Manage Apps that this app creates or owns
This Permission allows the service principal to create applications and manage the ones it's created. This is an admin permission so you'll need to press the Grant Permissions
button to enable this.
To see what permissions have been granted by users and admins, navigate to the Enterprise Application for the app and select the Permissions blade. Granted permissions are listed here.
Hope that helps.
Upvotes: 3