Trying to create a new client secret using powershell script. while executing New-AzureADApplicationPasswordCredential from powershell ISE, getting below error:
New-AzureADApplicationPasswordCredential : Error occurred while executing SetApplication
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: 1234567-abcd-1234-7890-1234567890
DateTimeStamp: Mon, 12 Dec 2022 05:21:54 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
Attached image has the API permissions given for the SP used to authenticate to AD. The SP has read/write access on AD graph and MS Graph and has Admin consent on org as well.
I tried in my environment and got below results:
Initially I tried the same command and got same error.
Console:
Make sure the User or service principal with whom you are trying to login into azure has at least contributor role or owner role at subscription level.
Go to portal -> Subscription -> Access control(IAM) -> Add role assignments ->Add Contributor or Owner to your user or SP.
Also, make sure User or SP has Azure AD role of at least Application Administrator.
Go to portal -> Azure-Active-Directory -> Roles and Administrators ->Application Administrator -> Add the role to your User or SP.
After Assigning both roles in my environment, I got the Client-Secret successfully.
Console:
Related
I am trying to add new permissions to the newly created application. I am the owner of the app.
Try it with az ad app permission add Add-AzADAppPermission.No success, receive that error Az.MSGraph.internal\Get-AzADApplication : Insufficient privileges to complete the operation..
Tried it to add permissions from previously asked questions here and Git Hub, but with no success.
azure-cli version:2.44.1
What I'm missing?
Thank you!
I tried to reproduce the same in my environment and got the same error as below:
Even if the user is the owner of the Application, Insufficient privileges error will still occur:
Note that: To assign permissions the user account must have Application Administrator or Global Administrator role.
To resolve the error, I assigned Application Administrator role to the user account like below:
Go to Azure AD roles and administrators -> Select Application Administrator -> Add assignments -> Select members -> Select
After assigning the role, I am able to assign API permission to the Azure AD Application like below:
Connect-AzAccount
Add-AzADAppPermission -ObjectId ObjectID -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 5f8c59db-677d-491f-a6b8-5f174b11ec1d
The Group.Read.All API permission added successfully in the Azure Portal like below:
Given I have created an app using this repository in Azure.
And this app is deployed using a Service Principal which was created by below command:
az ad sp create-for-rbac --name "fxpricepredictor" --role contributor --scopes "/subscriptions/YOUR-SUBSCRIPTION-ID/resourceGroups/YOUR-RESOURCE-GROUP-NAME" --sdk-auth
Now, I need to get the API token to manage my created resources using REST APIs.
Based on documentation, I should be able use my tenantId, clientId and client_secret to get the token by calling the bellow endpoint:
curl: POST
https://login.microsoftonline.com/{{tenantId}}/oauth2/token
Please notice that, I am not the global admin in the tenant.
The official sample postman collection is here and here is how my request looks like in postman:
Sadly the endpoint does not provide me the token and instead it returns such error:
{
"error": "unauthorized_client",
"error_description": "AADSTS700016: Application with identifier 'MY_CLIENTID' was not found in the directory 'MY COMPANY'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 5a9a2c53-c3c8-46da-a1a6-551b42082400\r\nCorrelation ID: bf7c5966-ffa4-4312-8a77-434c2560d65a\r\nTimestamp: 2022-10-05 14:54:23Z",
"error_codes": [
700016
],
"timestamp": "2022-10-05 14:54:23Z",
"trace_id": "5a9a2c53-c3c8-46da-a1a6-551b42082400",
"correlation_id": "bf7c5966-ffa4-4312-8a77-434c2560d65a",
"error_uri": "https://login.microsoftonline.com/error?code=700016"
}
please notice, I hided some sensitive values in error response by MY_CLIENTID and MY COMPANY
So, i guess, the main reason that i am facing this issue is that:
This can happen if the application has not been consented to by any user in the tenant.
Meaning that, i should consent my own app. Am I right ?
So, my question is:
How can i get the token to work with REST APIs to manage my resources ?
How can I grant consent to my own app, given that I am not a global Admin ?
Update:
As I figured out, I should be able to Grant Consent to my app using "Microsoft Graph permissions reference". And here is what i have done:
Login to Azure portal
Navigate to "Azure Active Directory"
Navigate to "App registrations"
Click on the created APP ("fxpricepredictor")
Navigate to "API permissions"
Click "Add a permission"
Click on "Microsoft Graph"
Choose "Delegated Permissions"
Search for "authentication" ---> (Sadly this option also requiereds Admin Consent)
I tried to reproduce the same in my environment and got the below results:
When I ran the same command as you, one Azure AD application named fxpricepredictor is automatically created with details like below:
az ad sp create-for-rbac --name "fxpricepredictor" --role contributor --scopes "/subscriptions/<subscriptionID>/resourceGroups/<resourcegroupName>" --sdk-auth
By including above details as parameters, I am able to generate access token successfully via Postman like below:
Please note that, I don't have global administrator role and granting admin_consent is not really required.
With the above access token, I am able to fetch and manage the Azure resources in that resource group like below:
GET https://management.azure.com/subscriptions/<subscriptionID>/resourceGroups/SriTest/resources?api-version=2021-04-01
Response:
The error AADSTS700016 may also occur if there is no application in your tenant with provided ClientID.
I tried including random ClientID which does not exist in Azure AD tenant and got same error as below:
So, make sure to check whether the application is existing or not with the given ClientID in Azure AD tenant.
I have a new Azure AD
I've switched my subscription over to it
I created a SQL Server managed instance
I went to the SQL Server MI, and to the active directory admin section of the MI.
I attempted to grant read permissions to the AD via the "click here to grand read permissions link"
I received the following error
Any clues?
While clicking on the Grant permissions it should automatically take the User objectId who has logged in to the portal and check the permissions for the user if the user has Global administrator / Directory Reader role(Preview) in the Tenant Or Subscription and finally will perform the operation.
But as you have created a new AD tenant and added it to the subscription it sometimes fails to sync (tenant and subscription) and as per the error Invalid object Identifier null it fails to get the user details .
So, the Issue can be fixed by logging in to the portal from a private window of the browser or signing out of the portal,then clearing the cache of the browser and relogging.
I have created an Service Principal and when I tried to run "az ad sp create-for-rbac --sdk-auth > test.azureauth" y received the following error:
"insufficient privileges to complete the operation"
I gave the following permissions:
Microsoft Graph:
Application.ReadWrite.All
Application.ReadWrite.OwnedBy
Directory.Read.All
Directory.ReadWrite.All
User.Read
But with this permissions is still failing
Any ideas?
Assign Permission to Azure Active Directory Graph then it will work well.
Also, you could assign Global administrator role to your service principal.
Note : This will take several minutes to take effect.
I need to use an Azure service principal to programmatically:
1. add/delete passwords for other services principal , and
2. add/delete passwords for itself
1 is easy to do.
But I can't seem to do 2 due to the following error. Is #2 possible? How?
graphrbac.PasswordCredentialsUpdateParameters failed:
graphrbac.ApplicationsClient#UpdatePasswordCredentials: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error"
Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2019-06-06T22:19:35","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"<ID>"}}]
Is #2 possible? How?
Yes, it is possible.
Just add your service principal to the Application Administrator directory role in your tenant, no need to add other permissions, it will work(there may be some delay).
Navigate to the Azure Active Directory in the portal -> Roles and administrators -> click Application administrator -> Add assignment -> search by your AD App name(service principal name) -> select it -> Select.
My test sample:
I test it with powershell, in other languages, it should also work.
Add password:
Connect-AzureAD -TenantId "<TenantId>" -ApplicationId "<ApplicationId>" -CertificateThumbprint "D0F0B179xxxxx6E41833FDE5947"
New-AzureADApplicationPasswordCredential -ObjectId <ObjectId>
Remove password(it returns no content when successful):
$password = Get-AzureADApplicationPasswordCredential -ObjectId <ObjectId>
Remove-AzureADApplicationPasswordCredential -ObjectId <ObjectId> -KeyId $password.KeyId
Besides, you could check the screenshot in my test sample and that in the portal, make sure the service principal add/delete passwords for itself.
Seems you are trying to update your service principle meanwhile caught an error.
As the error said you don't have permission for this operation.
Reason of Error: You may not have sufficient permission on your application for this operation.
Action To Do:
To do that you have to assign following permission on your application. Please follow the below steps:
Login to azure portal
Click on azure active directory
App registrations
Select you application
API Permission
Add Permission
Microsoft Graph
Application permission
In Directory select Directory.Read.All
In Application select Application.ReadWrite.All
Add Permission
Grant admin consent for YourTennant
See the screen shot below:
Note: You also need to have at least Contributor directory role on that application. As the Contributor can create and manage all types of
Azure resources but can’t grant access to others.