insufficient privileges to complete the operation - service principal - azure

I have created an Service Principal and when I tried to run "az ad sp create-for-rbac --sdk-auth > test.azureauth" y received the following error:
"insufficient privileges to complete the operation"
I gave the following permissions:
Microsoft Graph:
Application.ReadWrite.All
Application.ReadWrite.OwnedBy
Directory.Read.All
Directory.ReadWrite.All
User.Read
But with this permissions is still failing
Any ideas?

Assign Permission to Azure Active Directory Graph then it will work well.
Also, you could assign Global administrator role to your service principal.
Note : This will take several minutes to take effect.

Related

Get-AzADApplication : Insufficient privileges to complete the operation

I am trying to add new permissions to the newly created application. I am the owner of the app.
Try it with az ad app permission add Add-AzADAppPermission.No success, receive that error Az.MSGraph.internal\Get-AzADApplication : Insufficient privileges to complete the operation..
Tried it to add permissions from previously asked questions here and Git Hub, but with no success.
azure-cli version:2.44.1
What I'm missing?
Thank you!
I tried to reproduce the same in my environment and got the same error as below:
Even if the user is the owner of the Application, Insufficient privileges error will still occur:
Note that: To assign permissions the user account must have Application Administrator or Global Administrator role.
To resolve the error, I assigned Application Administrator role to the user account like below:
Go to Azure AD roles and administrators -> Select Application Administrator -> Add assignments -> Select members -> Select
After assigning the role, I am able to assign API permission to the Azure AD Application like below:
Connect-AzAccount
Add-AzADAppPermission -ObjectId ObjectID -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 5f8c59db-677d-491f-a6b8-5f174b11ec1d
The Group.Read.All API permission added successfully in the Azure Portal like below:

Azure Runbook and Insufficient Privileges with Get-AzADApplication -

I was hoping to get some advice on the following issue:
I am using System-assigned identity in my automation account for authentication. The role assignment for that system-assigned identity is "Owner" and the Scope is "Subscription".
When I run this command "Connect-AzAccount -Identity" - everything works as expected. However, the next command which is the second one in the script - "Get-AzADApplication" -fails with "Insufficient privileges to complete the operation.".
Why am I unable to list all the applications under my tenant when my system managed identity has the "Owner" role? What am I missing here?

Getting error "Insufficient privileges to complete the operation" while pulling application list using azure-python-sdk

I'm using a service principle with permissions Application.Read.All and Directory.Read.All of Application type to authenticate to Azure and using following code to pull list of Applications in the tenant.
from azure.common.credentials import ServicePrincipalCredentials
from azure.graphrbac import GraphRbacManagementClient
from config import app
credentials = ServicePrincipalCredentials(
client_id = app["CLIENT"],
secret = app["KEY"],
tenant = app["TENANT_ID"],
resource="https://graph.windows.net"
)
graphrbac_client = GraphRbacManagementClient(credentials, app["TENANT"])
for app in graphrbac_client.applications.list():
print("\nApp:")
print(app)
print("******\n")
Any help is much appreciated
Application.Read.All and Directory.Read.All these 2 permissions requires Global Administrator consent for your directory. I would suggest to ask your Global Administrator to provide consent to your service principal.
From your description, I suppose you added the application permission Application.Read.All and Directory.Read.All of Microsoft Graph, because what you need is Azure Active Directory Graph, which does not have the Application.Read.All permission.
In your code, it uses the resource="https://graph.windows.net", which means your code calls the Azure Active Directory Graph, not Microsoft Graph, to solve the issue, just add the application permission Directory.Read.All of Azure Active Directory Graph like below.
Note : After adding the permission, don't forget to click the Grant admin consent for xxx button, otherwise your service principal will not get the permission.
There may be some delay, after half an hour, test the code, it works fine.

"az ad app permission list-grants" doesn't match what is listed for the app in the Azure Portal

I am trying to troubleshoot why certain automation tasks don't work with a Service Principal I've created, most especially any tasks involving Azure Active Directory. The Azure Portal seems to clearly show that the Service Principal has been granted the Microsoft.Graph Directory.Read.All API Permission. The portal also shows that this Service Principal has the User.Read permission as well.
However, when I run az ad app permission list-grants for the Service Principal, it only lists User.Read. This makes me wonder whether the Directory.Read.All permission is actually present. And yes, the portal clearly shows that Directory.Read.All permission has been granted.
How can I confirm that my Service Principal actually does have the Directory.Read.All API Permission?
az ad app permission list-grants --id db7a66b4-06ad-4412-9bbc-73cb34f96ce2 --show-resource-name
[
{
"clientId": "01b359a2-f452-43c6-b290-e5ea1b359f38",
"consentType": "AllPrincipals",
"expiryTime": "2019-12-08T17:07:04.550141",
"objectId": "olmzAVL0xkOykOXqGzWfOAvNygY8CKVIummKcmVpwq8",
"odatatype": null,
"principalId": null,
"resourceDisplayName": "Microsoft Graph",
"resourceId": "06cacd0b-083c-48a5-ba69-8a726569c2af",
"scope": "User.Read",
"startTime": "0001-01-01T00:00:00"
}
]
And a crude recreation of what I see in the portal for this Service Principal under Azure Active Directory > App Registrations > (Service Principal Name) > API Permissions:
API/Permissions name Type Admin Consent Required
-------------------- ----------- -----------------------------------
Microsoft Graph (2)
Directory.Read.All Application Yes <green check> Granted for MyOrg
User.Read Delegated <green check> Granted for MyOrg
As you have found, the reason is the Azure CLI command az ad app permissions list-grants just list the delegated permissions.
If you also want to get the application permissions granted to the service principal,
currently it is not supported by the Azure CLI and Az powershell module, you need to use AzureAD powershell module.
Try the script as below, it writes output the API name and corresponding permission.
Note the ObjectId in the first line is the ObjectId of your service principal, not the AD App(App registration), you can find it in the Enterprise applications in the portal(filter with All applications).
$apppermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId <ObjectId of your service principal>
foreach($item in $apppermissions){
$item.ResourceDisplayName
(Get-AzureADServicePrincipal -ObjectId $item.ResourceId).AppRoles | Where-Object {$_.Id -eq $item.Id}
}
The permissions in the App registration in the portal:
Here is a similar issue, you can also take a look.
I finally figured this out, and it was less than obvious.
az ad app permissions list-grants lists oauth2 permissions. In other words, delegated permissions.
My Service Principal's Directory.Read.All permission is an application permission. That means it's a permission my Service Principal has in its own right without needing another user's authentication token.
I'm still trying to figure out how to list the Application permissions using the new az commands and/or the new Get-Az PowerShell modules. If I find out how I'll update this answer.
I found out you can get that output with az cli but by using the rest command like this:
az rest --method get --url https://graph.microsoft.com/v1.0/servicePrincipals/{YOUR_SERVICE_PRINCIPAL_ID}/appRoleAssignments

Can Azure Service Principal Update Its Own Passwords?

I need to use an Azure service principal to programmatically:
1. add/delete passwords for other services principal , and
2. add/delete passwords for itself
1 is easy to do.
But I can't seem to do 2 due to the following error. Is #2 possible? How?
graphrbac.PasswordCredentialsUpdateParameters failed:
graphrbac.ApplicationsClient#UpdatePasswordCredentials: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error"
Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2019-06-06T22:19:35","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"<ID>"}}]
Is #2 possible? How?
Yes, it is possible.
Just add your service principal to the Application Administrator directory role in your tenant, no need to add other permissions, it will work(there may be some delay).
Navigate to the Azure Active Directory in the portal -> Roles and administrators -> click Application administrator -> Add assignment -> search by your AD App name(service principal name) -> select it -> Select.
My test sample:
I test it with powershell, in other languages, it should also work.
Add password:
Connect-AzureAD -TenantId "<TenantId>" -ApplicationId "<ApplicationId>" -CertificateThumbprint "D0F0B179xxxxx6E41833FDE5947"
New-AzureADApplicationPasswordCredential -ObjectId <ObjectId>
Remove password(it returns no content when successful):
$password = Get-AzureADApplicationPasswordCredential -ObjectId <ObjectId>
Remove-AzureADApplicationPasswordCredential -ObjectId <ObjectId> -KeyId $password.KeyId
Besides, you could check the screenshot in my test sample and that in the portal, make sure the service principal add/delete passwords for itself.
Seems you are trying to update your service principle meanwhile caught an error.
As the error said you don't have permission for this operation.
Reason of Error: You may not have sufficient permission on your application for this operation.
Action To Do:
To do that you have to assign following permission on your application. Please follow the below steps:
Login to azure portal
Click on azure active directory
App registrations
Select you application
API Permission
Add Permission
Microsoft Graph
Application permission
In Directory select Directory.Read.All
In Application select Application.ReadWrite.All
Add Permission
Grant admin consent for YourTennant
See the screen shot below:
Note: You also need to have at least Contributor directory role on that application. As the Contributor can create and manage all types of
Azure resources but can’t grant access to others.

Resources