Home > Software engineering >  What Role or Scopes Does An Azure Service Principal Need to Create Applications
What Role or Scopes Does An Azure Service Principal Need to Create Applications

Time:02-12

I currently create a service principal using the Azure CLI:

az ad sp create-for-rbac --name foo --role Contributor

I need the service principal to have enough permissions to create/modify/delete various Azure AD resources including Applications, other Service Principals and Service Principal Passwords.

What do I need to add to the above Azure CLI command to add these permissions?

CodePudding user response:

You need to add the scope of this service principal and also change the Azure role of this Service Principal to 'User Access Administrator' to enable you to modify resources in Azure AD. Also, 'User Access Administrator' role will give the service principal the required permissions for that Azure role to assign RBAC permissions. Please refer the below command for more details: -

  az ad sp create-for-rbac --name foo --role User Access Administrator --scopes /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup1}

Also, ensure that the user ID through which you are creating this service principal and assigning the role to it has permissions to register and create applications in Azure AD. If not, then please assign that ID 'Application Administrator' Azure AD role or you should be allowed to create and register applications by an administrator even though being a 'User'.

CodePudding user response:

You need to give your service principal "App admin" permissions. This allows you to create application registrations and also set their credentials. And it does not give it rights to do anything else such as manage users and groups. If your intent is to include those, you need to add additional roles to the service principal.

https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator

  • Related