I found a link here which says:
There is no way to directly create a service principal using the Azure portal. When you register an application through the Azure portal, an application object and service principal are automatically created in your home directory or tenant.
My question is, Can a 'service principal' create another 'service principals' in Azure? If yes, how? and what all permissions required for this?
Please suggest. Thanks.
CodePudding user response:
A service principal can create another service principal after being assigned either the corresponding MS Graph permission, or Azure AD role
MS Graph Permissions
Either of the permissions
Application.ReadWrite.All
Application.ReadWrite.OwnedBy
References
Microsoft Graph permissions reference
Create application API endpoint
Create servicePrincipal API endpoint
Azure AD Role
Any role with one of these permissions
microsoft.directory/applications/create
microsoft.directory/applications/createAsOwner
microsoft.directory/applications/allProperties/allTasks
Built-in roles
- Application Administrator
- Application Developer
- Cloud Application Administrator
- Global Administrator
- Hybrid Identity Administrator
References
Application registration permissions for custom roles in Azure Active Directory