Reputation: 2146
Can Azure Service Principal Update Its Own Passwords?
I need to use an Azure service principal to programmatically:
1. add/delete passwords for other services principal , and
2. add/delete passwords for itself
1 is easy to do.
But I can't seem to do 2 due to the following error. Is #2 possible? How?
graphrbac.PasswordCredentialsUpdateParameters failed:
graphrbac.ApplicationsClient#UpdatePasswordCredentials: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error"
Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2019-06-06T22:19:35","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"<ID>"}}]
Upvotes: 1
Views: 1509
Answers (2)
Reputation: 42123
Is #2 possible? How?
Yes, it is possible.
Just add your service principal to the Application Administrator directory role in your tenant, no need to add other permissions, it will work(there may be some delay).
Navigate to the Azure Active Directory in the portal -> Roles and administrators -> click Application administrator -> Add assignment -> search by your AD App name(service principal name) -> select it -> Select.
My test sample:
I test it with powershell, in other languages, it should also work.
Add password:
Connect-AzureAD -TenantId "<TenantId>" -ApplicationId "<ApplicationId>" -CertificateThumbprint "D0F0B179xxxxx6E41833FDE5947"
New-AzureADApplicationPasswordCredential -ObjectId <ObjectId>
Remove password(it returns no content when successful):
$password = Get-AzureADApplicationPasswordCredential -ObjectId <ObjectId>
Remove-AzureADApplicationPasswordCredential -ObjectId <ObjectId> -KeyId $password.KeyId
Besides, you could check the screenshot in my test sample and that in the portal, make sure the service principal add/delete passwords for itself.
Upvotes: 4
Reputation: 22495
Seems you are trying to update your service principle meanwhile caught an error.
As the error said you don't have permission for this operation.
Reason of Error: You may not have sufficient permission on your application for this operation.
Action To Do:
To do that you have to assign following permission on your application. Please follow the below steps:
- Login to
azure portal - Click on
azure active directory - App registrations
- Select you application
- API Permission
- Add Permission
- Microsoft Graph
- Application permission
- In
DirectoryselectDirectory.Read.All - In
ApplicationselectApplication.ReadWrite.All - Add Permission
- Grant admin consent for
YourTennant
See the screen shot below:
Note: You also need to have at least
Contributordirectory role on that application. As theContributorcan create and manage all types of Azure resources but can’t grant access to others.
Upvotes: 1
Related Questions
- Azure - Update service principal scope
- Azure service principal check his own password expiration date
- Azure AD B2C - Password change flow
- Can I programmatically create new passwords for Azure Service Principals?
- How to update the password of user in azure ad using graph api
- How to reset the password of the Service Principal created for the System Managed Identity in Azure?
- Automated Azure Password change
- Azure Active Directory App service Principal update client secret
- Service principal credentials, set custom identifier?
- Windows Azure Active Directory Auto password change