Azure Run As account creation error
An error occurred while creating the Azure Run As account for account 'xxxxxxxxxx'.
Error details:
You don't have enough permissions to access service principal needed for the Run as account in the AAD tenant. See https://aka.ms/AARunAsPermissions for more details.
dc
I think your error message has clearly stated your problem, and you need to grant the account the subscription RBAC owner role.
Use the subscription administrator account to log in to the Azure portal>Subscriptions>your Subscriptions
In addition, you also need to ensure that you have the permission to create AAD applications. Use the tenant administrator to log in to Azure portal> Azure AD>User settings and set Users can register applications to Yes.
Related
I'm a Microsoft employee and I'm new to Azure. I would like to deploy a Service Principal on my internal Microsoft Azure subscription. Using the Azure CLI, when I run
az ad sp create-for-rbac --name $spn_name
I get the error "Insufficient privileges to complete the operation." The documentation here (https://learn.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest) makes it seem like I don't have Azure Active Directory configured properly.
I don't have Azure Active Directory on my internal subscription. Do I need to add this? If so, how can I set this up on my Microsoft internal account? Is there a way to create a Service Principal without Azure Active Directory?
Normal user without Admin roles also will be able to create a service principle even with Azure CLI. If the scenario is that you are creating a service principle from an application then you need application permissions. Please go through similar question which helps in fixing your issue.
Does not require you to have administrator permissions.
If your account's User type is just a Member in the tenant. Make sure in the portal -> AAD -> User settings -> Users can register applications is Yes.
It seems that the issue was that my SP name was not unique. Changing the name solved this problem for me.
I'm trying to register an application in Azure following these instructions in the link below.
I go to "App Registrations > New Registration" get the error "Access Denied You don’t have permission to register applications".
My user permission in the Azure Portal is Owner.
I can't find what permissions I need to set for my user so I can add a new app registration.
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
Owner role is an Azure RBAC role and is not the same as Azure AD directory roles which you need to register apps.
Azure RBAC roles apply to subscriptions and resources within them.
Azure AD tenants are above subscriptions.
Your Azure AD admin needs to give you at minimum Application Developer directory role.
Since I had access to more directory's I was just on the wrong one.
So in my case that was my problem and by switching directory to the correct one where I had access my problem was solved.
First I checked that I was given the access mentioned above.
I found out that you need to have owner rights of your subscription to add a Run as account in an Automation account. But as I search in my services I can see that my role inside the subscription is as an owner. Still i can't create a run as account because i don't have enough permissions ?
Is it enough to only have the owner rights of the subscriptions or do I need any more permissions ?
The issue was caused by you do not have the permission to create the AAD App.
If you want to configure Run As accounts, you also need to have the permission to create the AAD App.
For more details about the permissions, refer to this link.
Except for the permissions equivalent to the Owner role for Microsoft. Automation resources, you need to check these:
In the Azure portal, under Azure Active Directory > MANAGE > App registrations, if App registrations is set to Yes, non-admin users in your Azure AD tenant can register Active Directory applications. If App registrations is set to No, the user who performs this action must be a global administrator in Azure AD.
Ref: https://learn.microsoft.com/en-us/azure/automation/automation-create-standalone-account#permissions-required-to-create-an-automation-account
I am trying to setup Azure DevOps 'Release' Pipeline, when I am trying to add Azure Resource Manager service Connection, I am getting error like 'Failed to create an app in Azure Active Directory. Error: Insufficient privileges to complete the operation. For troubleshooting refer to link. '
My Organization assigned me an Azure Professional Subscription account. When I click the Active Directory, I am getting error like 'Access denied. You do not have access. Looks like you don't have access to this content. To get access, please contact the owner.'
What sort of user role, the organization needs to assign to me so that I can setup the Azure DevOps Release Pipeline.
The company can't give me the role as global administrator or user account administrator to ADFS, because of security reason. What is the appropriate ADFS user role permission my company should assign to me ?
There's no way to do this without being a Global Admin or Owner on the Azure Active Directory tenant. You need to request access from your organization or else make your own account with your own subscription and publish the application there.
You need to have the Application Administrator role in the AD in order to create the service connections.
After, enabling the Application Administrator role from the Azure Active Directory roles, I was able to create the service connection properly.
We are trying to create a service connection named, xyz-serviceconn-verify. Without any error message, now I could create service connections.
Here, you could see the created service connection, xyz-serviceconn-verify.
Good Luck :)
See the link, last error
https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-rm-endpoint?view=azure-devops&viewFallbackFrom=vsts
This error is coming because you do not have sufficient privileges in your AAD, you do not have Write permission for the selected Azure subscription when the system attempts to assign the Contributor role.
It worked for me when I tried to create my own new AD, and then I move the subscriptions I got from the company to this AD (it is just for dev and test).
If you want it to work on production, maybe you should ask the administrator to create a new app registration for you and he should grant all permission to you inside this app (I guess).
Best regards,
Tai.
I'm using Octopus Deploy to deploy an Azure WebApp, using Service Principal as the authentication mechanism. Following online instructions, I was able to obtain all the id's and a key, and I created permissions in AAD for the app with a Reader role.
Octopus can successfully retrieve a list of webapps from Azure for the account, but when I deploy I get the following:
System.AggregateException: One or more errors occurred. --->
System.Exception: Retrieving publishing credentials failed with HTTP
status 403 - Forbidden
I'm guessing that the Reader role is not authorized for deployments - which would be the most appropriate role? Or is there something else I need to do?
Your Service Principal will need the Contributor role in order to deploy on Azure.
If you take a look at the example PowerShell script we provide in our Azure Service Principal Account guide, you'll see that we assign "Contributor" for the role definition argument.
ie.
New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $azureAdApplication.ApplicationId
Hope this helps.
If you only use the Service Principal to deploy web app, you could give it Website Contributor role.
Website Contributor Can manage websites, but not the web plans to
which they are connected
Actions that Website Contributor could access please refer to this link.
If you want the service principal to create app service plan, you also need give it Web Plan Contributor role.
Owner and Contributor can manage everything, if you need to fine-tune permissions, I suggest you select Website Contributor role. More information please refer to this link:Built-in roles for Azure role-based access control.
Please refer to this link:Assign application to role.