Reputation: 1526
Azure AD - using SP to create an app registration and its credentials
So here is the thing. I have a bunch of scripts that during the initial environment setup create an app registration in Azure, its ServicePrincipal, and finally sets a certificate as a key. Everything works just fine while I'm logged in as a user with Global Admin role.
Now, for the sake of automation, I need to do the same but using a ServicePrincipal rather than my user's account. The idea is to use it to create/delete app registrations and rotate their keys. Consider it some sort of master SP. So I've created one, and granted it next permissions -
Microsoft Graph - Application Permission: "Read directory data"
Microsoft Graph - Application Permission: "Read and write directory data"
Windows Azure Active Directory - Application Permission: "Read directory data"
Windows Azure Active Directory - Application Permission: "Read and write directory data"
The SP has been assigned with Owner role for a given subscription.
My automation script executes next commands -
Get-AzureRmADApplication
New-AzureRmADApplication
New-AzureRmADAppCredential
New-AzureRmADServicePrincipal
Powershell version is 5.1
AzureRM.Resources module version is 6.1.0
Here is the way I set the account in the script -
$secpasswd = ConvertTo-SecureString "Master_SP_Password" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("Master_SP_AppId", $secpasswd)
Add-AzureRMAccount -ServicePrincipal -Tenant "***" -Subscription "***" -Credential $creds
Select-AzureRMSubscription -SubscriptionId *** -TenantId ***
And here is what I'm getting right now -
- Get-AzureRmADApplication - executes just fine
- New-AzureRmADApplication - throws Resource not found for the segment 'me'
- New-AzureRmADAppCredential - have tried the command for an existing app, and it fails with Insufficient privileges to complete the operation
- New-AzureRmADServicePrincipal - have tried the command for an existing app, throws Resource not found for the segment 'me'
Any suggestions? Thanks!
Upvotes: 2
Views: 1945
Answers (1)
Reputation: 889
The error you're getting
Resource not found for the segment 'me'
is because when you get an insufficient privileges request the graph API navigates to the /me endpoint on the Graph API however Service Principals do not have this endpoint available to them.
As for the the
Insufficient privileges to complete the operation
problem. I have a Service Principal with permission to create Applications. The permission you're looking for is on the Graph API Permission blade is
Manage Apps that this app creates or owns
This Permission allows the service principal to create applications and manage the ones it's created. This is an admin permission so you'll need to press the Grant Permissions button to enable this.
To see what permissions have been granted by users and admins, navigate to the Enterprise Application for the app and select the Permissions blade. Granted permissions are listed here.
Hope that helps.
Upvotes: 3
Related Questions
- Azure App registration add authorized client applications through powershell Azure CLI
- How can I create a new Azure App Registration without the user_impersonation OAuth2Permission?
- azure App registration using powershell does not create a service principal
- Azure AD App Registration for Multi tenant and Personal accounts using powershell
- How to make an Azure app registration with platform SPA via Powershell
- Let the user create Azure Active Directory App registrations for our app?
- Connect an Azure App Registration to Azure SQL Database via Powershell
- Native App Registration with AZ Powershell Module
- App Registrations in Azure AD
- Converged applications Azure AD v2, register programmatically