azure-dev: `azd pipeline config` - Insufficient privileges to complete the operation

Describe the issue: azd pipeline config test fail.

The failure error is as follows:

image

Repro steps:

1.Run command azd up 2.Run command azd pipeline config

Environment:

  • OS : Linux desktop Template: todo-nodejs-mongo, todo-csharp-cosmos-sql , todo-nodejs-mongo-swa-func, todo-python-mongo, todo-python-mongo-swa-func

  • OS : CodeSpace Template: todo-csharp-cosmos-sql, todo-nodejs-mongo, todo-nodejs-mongo-aca, todo-nodejs-mongo-swa-func, todo-python-mongo, todo-python-mongo-aca, todo-python-mongo-swa-func

Expected behavior: In Linux environment, when Azure CLI version is 2.38.0, azd pipeline config test can success.

@rajeshkamal5050, @jongio for notification.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 34 (29 by maintainers)

Most upvoted comments

Thank you @rajeshkamal5050

Both issues are sort of related, as they are both a side effect of the same Conditional Access Policy.

But it is OK to use both issues.

So, for using a service principal , I have checked what is the required permissions to be added to the service principal and they are:

  • Application.ReadWrite.All for Microsoft Graph image

This access requires admin consent, so it won’t be possible to have it within Microsoft tenant. (Microsoft does not provide admin consent for testing applications).

So, this test scenario for using a service principal to log in (az login --service-principal) won’t work when using any Azure subscription within Microsoft tenant.

In order to use a service principal, please create a new Azure Subscription outside Microsoft tenant.

Here’s a way to do it:

  1. Go to http://my.visualstudio.com/
  2. Login with a Microsoft account (it can be @microsoft.com or @outlook.com or @hotmail.com , etc… any personal or work account is valid)
  3. Click on Try Azure for free (for personal account) image

or the use credits in Azure to explore (for @microsoft accounts) image

  1. Follow the activate instructions to set up a new Azure subscription.
  2. Once the subscription is ready, use the Azure Portal to create a Service Principal. You can use the Azure portal search to find the app registration section
image
  1. Go to API permissions and click Add permissions image

  2. Select Microsoft Graph image

  3. Select application permissions image

  4. Look for Application.ReadWrite and add it

image
  1. Click on Grant Admin consent for <subscription>. It should be enabled as you are the owner and admin of the tenant, so you can grant the permision
image

At this point, the service principal is allowed to list/update/create service principals within the subscription. The next step is to assign the User Access Administrator role to the Service Principal within the subscription so it can assig roles/access within the Azure subscription.

You should already know how to do this step, as it is the result of this: https://github.com/Azure/azure-dev/issues/197#issuecomment-1255779265 Note: You only need to add the User Access Administrator role for azd pipeline config. But you might need the Contributor role for other azd operations

Once you add the roles, you are ready to log in with az login using the Service Principal within the test subscription 😃

Let me know if you try this and have any issues.

Removing blocker based on above update. Let us try to document it as a limitation based on

@vhvb1989 can you work with @puicchan to get it documented.