How to reset credentials of an Azure service principal using an automation account PowerShell runbook?

Question

I'm trying to reset the password credentials of a service principal (let's call it SP1) through the following PowerShell commands:

Remove-AzADSpCredential -ObjectId  <SP1_objectId> -Force
$Password = New-AzADSpCredential -ObjectId <SP1_objectId> 

This works well when I run it through the PowerShell by my own user account, which has an Owner role assigned to SP1.

I also have this code in a runbook in an automation account with a "run as account" service principal (let's call it SP2).

I assigned the ownership of SP1 to SP2 as well through the command Add-AzureADServicePrincipalOwner and confirmed it through Get-AzureADServicePrincipalOwner.

I expected the runbook to be able to run the Remove-AzADSpCredential command on the SP1 after making its service principal the owner of SP1. But I get the following error:

Remove-AzADSpCredential : Insufficient privileges to complete the operation. At line:43 char:9 + Remove-AzADSpCredential -ObjectId $key.Name -Force + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Remove-AzADSpCredential], Exception + FullyQualifiedErrorId : Microsoft.Azure.Commands.ActiveDirectory.RemoveAzureADSpCredentialCommand

And the same error for New-AzADSpCredential command as well.

I thought maybe the ownership of SP1 should be assigned to the App for the run as account, instead of its service principal.
So I also ran the following:

Add-AzureADServicePrincipalOwner -ObjectId <SP1_ObjectId> -RefObjectId <runasaccount_app_ObjectId>

But this wasn't possible, as I got the error:

Code: Request_BadRequest Message: The reference target 'Application_xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx' of type 'Application' is invalid for the 'owners' reference.

So I assume the ownership should have been assigned only to SP2, and not to the app.

I looked at here but the accepted answer says

If your user accounts are the Owner of the service principal(Enterprise application), the command New-AzADSpCredential will work.

which is true in my case, and yet, it's not working when running the runbook.

I also looked at here and it seems I need to do the #1 which the OP describes as easy to do.

Any input on how to do this will be greatly appreciated.

Answer 1

If you want to use a service principal to add/remove credentials for another service principal, it is different from using a user account to do that.

I assigned the ownership of SP1 to SP2 as well through the command Add-AzureADServicePrincipalOwner and confirmed it through Get-AzureADServicePrincipalOwner.

This way is correct, but not only the Owner, also you need to give an Application.ReadWrite.OwnedBy Application permission in Azure Active Directory Graph (Not Microsoft Graph)API after that.

Navigate to the API permissions of your automation account corresponded AD App in the portal -> add the permission like below, don't forget to click the Grant admin consent for xxx button at last.

Then test it in the runbook, it works fine.

New-AzADSpCredential -ObjectId xxxxxxxxxxxxx

The combination of Owner and Application.ReadWrite.OwnedBy is the minimum privilege in this case, there are also other ways, you can also give the Application Administrator directory role as you saw here or Application.ReadWrite.All Application permission in Azure Active Directory Graph, both will work.