Share via

When I run az ad sp create-for-rbac --sdk-auth > my.azureauth for creating login details getting error

suman.kumar 26 Reputation points
2021-09-17T08:57:49.93+00:00

When I run this command for creating login credentials getting error
az ad sp create-for-rbac --sdk-auth > my.azureauth

WARNING: In a future release, this command will NOT create a 'Contributor' role assignment by default. If needed, use the --role argument to explicitly create a role assignment.
WARNING: Creating 'Contributor' role assignment under scope '/subscriptions/c92c7baa-eaad-434b-9375-37f5989aa19d'
WARNING: Role assignment creation failed.

WARNING: role assignment response headers: {'Cache-Control': 'no-cache', 'Pragma': 'no-cache', 'Content-Type': 'application/json; charset=utf-8', 'Expires': '-1', 'x-ms-failure-cause': 'gateway', 'x-ms-request-id': 'cda727cc-57c1-42d7-88d6-992de1bf4218', 'x-ms-correlation-request-id': 'cda727cc-57c1-42d7-88d6-992de1bf4218', 'x-ms-routing-request-id': 'JIOINDIAWEST:20210917T085101Z:cda727cc-57c1-42d7-88d6-992de1bf4218', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'X-Content-Type-Options': 'nosniff', 'Date': 'Fri, 17 Sep 2021 08:51:00 GMT', 'Connection': 'close', 'Content-Length': '395'}

ERROR: The client 'suman.kumar@legitquest.com' with object id 'b740b4ee-96a6-4752-932c-0f770c37b929' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/c92c7baa-eaad-434b-9375-37f5989aa19d' or the scope is invalid. If access was recently granted, please refresh your credentials.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
814 questions
Accepted answer
  1. Siva-kumar-selvaraj 15,646 Reputation points
    2021-09-17T20:43:09.327+00:00

    Hello @suman.kumar ,

    Thanks for reaching out.

    Looking at above error message, it seems that the client 'suman.kumar@legitquest.com' with object id 'b740b4ee-96a6-4752-932c-0f770c37b929' does not have access to /subscriptions/c92c7baa-eaad-434b-9375-37f5989aa19d to perform action 'Microsoft.Authorization/roleAssignments/write'

    Because, az ad sp create-for-rbac cmdlet create a service principal and configure its access to Azure resources. By default, this command assigns the 'Contributor' role to the service principal at the subscription scope.

    Therefore, account which you are using to Login to CLI must have RBAC owner access at subscription level to perform role assignment.

    To fix this issue, either ask your subscription admin to assign RBAC Owner role to your account (or) If you just wanted to create login credentials without role assignment to subscription then use --skip-assignment parameter as shown below and this doesn't require access to subscription level.

    az ad sp create-for-rbac --sdk-auth --skip-assignment

    Here is similar thread for your reference

    Hope this helps.

    ---
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    To lean more, refer.

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. suman.kumar 26 Reputation points
    2021-09-20T06:56:14.003+00:00

    and 2nd by with --scope of that subscription and group name

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.