Kiryl
Kiryl

Reputation: 1526

Azure AD - using SP to create an app registration and its credentials

So here is the thing. I have a bunch of scripts that during the initial environment setup create an app registration in Azure, its ServicePrincipal, and finally sets a certificate as a key. Everything works just fine while I'm logged in as a user with Global Admin role.

Now, for the sake of automation, I need to do the same but using a ServicePrincipal rather than my user's account. The idea is to use it to create/delete app registrations and rotate their keys. Consider it some sort of master SP. So I've created one, and granted it next permissions -

Microsoft Graph - Application Permission: "Read directory data"
Microsoft Graph - Application Permission: "Read and write directory data"
Windows Azure Active Directory - Application Permission: "Read directory data"
Windows Azure Active Directory - Application Permission: "Read and write directory data"

The SP has been assigned with Owner role for a given subscription.

My automation script executes next commands -

Get-AzureRmADApplication
New-AzureRmADApplication
New-AzureRmADAppCredential
New-AzureRmADServicePrincipal

Powershell version is 5.1
AzureRM.Resources module version is 6.1.0

Here is the way I set the account in the script -

$secpasswd = ConvertTo-SecureString "Master_SP_Password" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("Master_SP_AppId", $secpasswd)
Add-AzureRMAccount -ServicePrincipal -Tenant "***" -Subscription "***" -Credential $creds
Select-AzureRMSubscription -SubscriptionId *** -TenantId ***

And here is what I'm getting right now -

Any suggestions? Thanks!

Upvotes: 2

Views: 1945

Answers (1)

Pete Philters
Pete Philters

Reputation: 889

The error you're getting

Resource not found for the segment 'me'

is because when you get an insufficient privileges request the graph API navigates to the /me endpoint on the Graph API however Service Principals do not have this endpoint available to them.

As for the the

Insufficient privileges to complete the operation

problem. I have a Service Principal with permission to create Applications. The permission you're looking for is on the Graph API Permission blade is

App Permission

Manage Apps that this app creates or owns

This Permission allows the service principal to create applications and manage the ones it's created. This is an admin permission so you'll need to press the Grant Permissions button to enable this.

To see what permissions have been granted by users and admins, navigate to the Enterprise Application for the app and select the Permissions blade. Granted permissions are listed here.

Hope that helps.

Upvotes: 3

Related Questions