azure-cli: ServicePrincipal creating ServicePrincipal - Insufficient privileges to complete the operation

Describe the bug

As a ServicePrincipal, I want to create another ServicePrincipal by using the command below. The last section contains parts of the debug log.

Command Name az ad sp create-for-rbac

Errors:

Insufficient privileges to complete the operation.

To Reproduce:

The below command is run as SP with all possible roles and directory roles assigned (tried Global Administrator too)

az ad sp create-for-rbac --skip-assignment --name {} --scopes acrpull --role {} --keyvault {} --create-cert --cert {} --debug

Expected Behavior

The above command should create the SP

Environment Summary

macOS-10.15.3-x86_64-i386-64bit
Python 3.8.2

azure-cli 2.2.0 *

Additional Context

The above command in --debug mode shows that the actual SP creation succeeds - just the last request, which seems to enable the created SP, fails. This is my interpretation of running rg "Request body" -A 1 on the debug output, which gives:

msrest.http_logger : Request body:
msrest.http_logger : None
--
msrest.http_logger : Request body:
msrest.http_logger : None
--
msrest.http_logger : Request body:
msrest.http_logger : {"availableToOtherTenants": false, "homepage": "...", "keyCredentials": [{"startDate": "2020-04-09T18:39:10.174059Z", "endDate": "2021-04-09T18:39:10.174059Z", "value": "<VALUE>", "keyId": "<KEY-ID>", "usage": "Verify", "type": "AsymmetricX509Cert"}], "displayName": "<NAME>", "identifierUris": ["<URI>"]}
--
msrest.http_logger : Request body:
msrest.http_logger : {"accountEnabled": "True", "appId": "<ID>"}

The response to the last request with body {"accountEnabled": "True", "appId": "<ID>"} is:

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"...","date":"2020-04-09T18:40:10"}}
msrest.exceptions : Insufficient privileges to complete the operation.
Creating service principal failed for appid '<APP-ID>'. Trace followed:
{'Cache-Control': 'no-cache', 'Pragma': 'no-cache', 'Content-Type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8', 'Expires': '-1', 'ocp-aad-diagnostics-server-name': '...', 'request-id': '..., 'client-request-id': '...', 'x-ms-dirapi-data-contract-version': '1.6', 'ocp-aad-session-key': '...', 'DataServiceVersion': '3.0;', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'Access-Control-Allow-Origin': '*', 'X-AspNet-Version': '4.0.30319', 'X-Powered-By': 'ASP.NET', 'Duration': '2215079', 'Date': 'Thu, 09 Apr 2020 18:40:10 GMT', 'Content-Length': '219'}

The log output ends with

cli.azure.cli.core.util : Insufficient privileges to complete the operation.
Insufficient privileges to complete the operation.

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 1
Comments: 21 (7 by maintainers)

Most upvoted comments

I am currently trying to set up a pipeline where a Service Principal has permissions to create other SPs on demand. It appears that with the update from AAD Graph to MS Graph, there is a lot of confusing information online as to how this should properly be set up. Since testing in the corporate environment is difficult, as I would need to constantly be going back to the Azure Admin to get him to Admin Approve my API permission requests, I decided to test in a personal account I control.

First, I created the “top” SP with az ad sp create-for-rbac --name devopsagent --role owner. From there, I create a clean environment, install az cli and login:

az login --service-principal -u "devopsagent_appid" -p "devopsagent_pass" --tenant "ad_tenant"

Now, I try to create a secondary SP:

az ad sp create-for-rbac --skip-assignment --name limited-sp

This, as expected, fails: ValidationError: Insufficient privileges to complete the operation.

At this point, I started trying to find the minimum set of permissions that would get this working. This is where my confusion is (and why I am adding to this issue):

The Azure portal recommends using Microsoft Graph API permissions, instead of Azure Active Directory Graph, which is now on life support. So I try adding these two MS Graph permissions in the portal:

Microsoft Graph/Application permissions/Application/Application.ReadWrite.OwnedBy
Microsoft Graph/Application permissions/Directory/Directory.Read.All

This does not work. I get either:

ValidationError: Insufficient privileges to complete the operation.

or (not entirely sure why the error changes, maybe because of back-and-forth with permissions)

ValidationError: Directory permission is needed for the current user to register the application. For how to configure, please refer 'https://docs.microsoft.com/azure/azure-resource-manager/resource-group-create-service-principal-portal'. Original error: Insufficient privileges to complete the operation.

I tried changing the Directory.Read.All to Directory.ReadWriteAll, same result. Additionally, I tried adding Directory.ReadWriteAll from the AAD Graph API, same result. The only way I can get it to work, is adding these two permissions:

Azure Active Directory Graph/Application permissions/Application/Application.ReadWrite.OwnedBy
Azure Active Directory Graph/Application permissions/Directory/Directory.Read.All

This makes the request work. Most interestingly, removing the MS Graph permissions and only leaving the AAD ones makes no difference. So as of today, it does not seem that the az cli is using the MS Graph API at all, at least for this particular task. Is this correct?

As an additional note, based on previous comments on this issue, I did not need to add the top SP to any groups (global admin or others). As mentioned above, even adding to the Global Admins group, I still got an error.

My az --version is:

# az --version
azure-cli                         2.12.1
core                              2.12.1
telemetry                          1.0.6

Python location '/opt/az/bin/python3'
Extensions directory '/root/.azure/cliextensions'

Python (Linux) 3.6.10 (default, Sep 28 2020, 08:41:31) 
[GCC 9.3.0]
Your CLI is up-to-date.

I guess my main question is, will the MS Graph API permissions eventually replace the AAD ones? This is my understanding. So, in preparation and to bother the Azure Admin as little as possible, should I add both sets of API permissions? Or is there something I am not getting correctly?

Also, currently using any APIs from the AAD set, pops up this warning in the Azure window, which the Admin will see and will ask about 😆 So I guess an answer to my above questions should make for a proper answer for him.

Thank you for your work on this!

eugeneromero on Oct 7, 2020

Hi @eugeneromero, thank you for the detailed explanation. Your statement is correct: Azure CLI az ad command group currently only uses Azure Active Directory Graph, so you need to add Azure Active Directory Graph permissions for az ad to work.

If you are interested in using Microsoft Graph, please add corresponding Microsoft Graph permissions and use az rest to make the API calls. Please see https://github.com/Azure/azure-cli/issues/12946 for more detail on the explanation and instructions on using az rest with Microsoft Graph.

Azure CLI team is working on migrating az ad to use Microsoft Graph, but this is a big task and we can’t provide a solid ETA yet.

Meanwhile, Microsoft Graph team is currently working on their own CLI tool: https://github.com/microsoftgraph/msgraph-cli. This project is still at its early phase. You are very welcome to play with it and share any feedback.

jiasli on Nov 27, 2020

Thanks @eugeneromero… Having to jump through hoops and look at Github issues to fix a problem always makes me feel like I’m doing something unintended.

iTiamo on Nov 18, 2020