azure-cli: ServicePrincipal creating ServicePrincipal - Insufficient privileges to complete the operation
Describe the bug
As a ServicePrincipal, I want to create another ServicePrincipal by using the command below. The last section contains parts of the debug log.
Command Name
az ad sp create-for-rbac
Errors:
Insufficient privileges to complete the operation.
To Reproduce:
The below command is run as SP with all possible roles and directory roles assigned (tried Global Administrator
too)
az ad sp create-for-rbac --skip-assignment --name {} --scopes acrpull --role {} --keyvault {} --create-cert --cert {} --debug
Expected Behavior
The above command should create the SP
Environment Summary
macOS-10.15.3-x86_64-i386-64bit
Python 3.8.2
azure-cli 2.2.0 *
Additional Context
The above command in --debug
mode shows that the actual SP creation succeeds - just the last request, which seems to enable the created SP, fails. This is my interpretation of running rg "Request body" -A 1
on the debug output, which gives:
msrest.http_logger : Request body:
msrest.http_logger : None
--
msrest.http_logger : Request body:
msrest.http_logger : None
--
msrest.http_logger : Request body:
msrest.http_logger : {"availableToOtherTenants": false, "homepage": "...", "keyCredentials": [{"startDate": "2020-04-09T18:39:10.174059Z", "endDate": "2021-04-09T18:39:10.174059Z", "value": "<VALUE>", "keyId": "<KEY-ID>", "usage": "Verify", "type": "AsymmetricX509Cert"}], "displayName": "<NAME>", "identifierUris": ["<URI>"]}
--
msrest.http_logger : Request body:
msrest.http_logger : {"accountEnabled": "True", "appId": "<ID>"}
The response to the last request with body {"accountEnabled": "True", "appId": "<ID>"}
is:
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"...","date":"2020-04-09T18:40:10"}}
msrest.exceptions : Insufficient privileges to complete the operation.
Creating service principal failed for appid '<APP-ID>'. Trace followed:
{'Cache-Control': 'no-cache', 'Pragma': 'no-cache', 'Content-Type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8', 'Expires': '-1', 'ocp-aad-diagnostics-server-name': '...', 'request-id': '..., 'client-request-id': '...', 'x-ms-dirapi-data-contract-version': '1.6', 'ocp-aad-session-key': '...', 'DataServiceVersion': '3.0;', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'Access-Control-Allow-Origin': '*', 'X-AspNet-Version': '4.0.30319', 'X-Powered-By': 'ASP.NET', 'Duration': '2215079', 'Date': 'Thu, 09 Apr 2020 18:40:10 GMT', 'Content-Length': '219'}
The log output ends with
cli.azure.cli.core.util : Insufficient privileges to complete the operation.
Insufficient privileges to complete the operation.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 1
- Comments: 21 (7 by maintainers)
I am currently trying to set up a pipeline where a Service Principal has permissions to create other SPs on demand. It appears that with the update from AAD Graph to MS Graph, there is a lot of confusing information online as to how this should properly be set up. Since testing in the corporate environment is difficult, as I would need to constantly be going back to the Azure Admin to get him to Admin Approve my API permission requests, I decided to test in a personal account I control.
First, I created the “top” SP with
az ad sp create-for-rbac --name devopsagent --role owner
. From there, I create a clean environment, installaz cli
and login:az login --service-principal -u "devopsagent_appid" -p "devopsagent_pass" --tenant "ad_tenant"
Now, I try to create a secondary SP:
az ad sp create-for-rbac --skip-assignment --name limited-sp
This, as expected, fails:
ValidationError: Insufficient privileges to complete the operation.
At this point, I started trying to find the minimum set of permissions that would get this working. This is where my confusion is (and why I am adding to this issue):
The Azure portal recommends using Microsoft Graph API permissions, instead of Azure Active Directory Graph, which is now on life support. So I try adding these two MS Graph permissions in the portal:
This does not work. I get either:
or (not entirely sure why the error changes, maybe because of back-and-forth with permissions)
I tried changing the
Directory.Read.All
toDirectory.ReadWriteAll
, same result. Additionally, I tried addingDirectory.ReadWriteAll
from the AAD Graph API, same result. The only way I can get it to work, is adding these two permissions:This makes the request work. Most interestingly, removing the MS Graph permissions and only leaving the AAD ones makes no difference. So as of today, it does not seem that the
az cli
is using the MS Graph API at all, at least for this particular task. Is this correct?As an additional note, based on previous comments on this issue, I did not need to add the top SP to any groups (global admin or others). As mentioned above, even adding to the Global Admins group, I still got an error.
My
az --version
is:I guess my main question is, will the MS Graph API permissions eventually replace the AAD ones? This is my understanding. So, in preparation and to bother the Azure Admin as little as possible, should I add both sets of API permissions? Or is there something I am not getting correctly?
Also, currently using any APIs from the AAD set, pops up this warning in the Azure window, which the Admin will see and will ask about 😆 So I guess an answer to my above questions should make for a proper answer for him.
Thank you for your work on this!
Hi @eugeneromero, thank you for the detailed explanation. Your statement is correct: Azure CLI
az ad
command group currently only uses Azure Active Directory Graph, so you need to add Azure Active Directory Graph permissions foraz ad
to work.If you are interested in using Microsoft Graph, please add corresponding Microsoft Graph permissions and use
az rest
to make the API calls. Please see https://github.com/Azure/azure-cli/issues/12946 for more detail on the explanation and instructions on usingaz rest
with Microsoft Graph.Azure CLI team is working on migrating
az ad
to use Microsoft Graph, but this is a big task and we can’t provide a solid ETA yet.Meanwhile, Microsoft Graph team is currently working on their own CLI tool: https://github.com/microsoftgraph/msgraph-cli. This project is still at its early phase. You are very welcome to play with it and share any feedback.
Thanks @eugeneromero… Having to jump through hoops and look at Github issues to fix a problem always makes me feel like I’m doing something unintended.