What built-in role is required for a Service principal to create new app registrations

Question

What built-in role is required for a Service principal to create new app registrations

Desmond Sindatry 91

What built-in role is required for a service principal to create an "APP Registration" ? I looked at the built-in roles and did not find one. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles Any ideas ?

0 comments

Answer accepted by question author

1 additional answer

Your answer

Answer 1

CarlZhao-MSFT 46,456

Hi @Desmond Sindatry
Creating an application registration does not require a built-in role, you need to grant the Application.ReadWrite.All application permission to your service principal, then use the unattended client credentials flow to obtain an access token and call the create application API endpoint.

User's image

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

CarlZhao-MSFT 46,456 Reputation points

2023-04-19T03:00:14.2166667+00:00

Hi @Desmond Sindatry

I am checking to see if this issue is resolved or not. If you have any concerns, please feel free to reply.
Desmond Sindatry 91 Reputation points

2023-04-19T13:30:30.7133333+00:00

These steps look good. however I am, not using graph api. I am using az ad commands to create the app registration.
CarlZhao-MSFT 46,456 Reputation points

2023-04-20T06:21:09.9933333+00:00

Hi @Desmond Sindatry

This is no different, the Azure CLI uses MSAL as an authentication library, and its underlying is still implemented through the graph API. So when you log in with a service principal and create a new application registration, the service principal must be granted Application.ReadWrite.All application permissions.
CarlZhao-MSFT 46,456 Reputation points

2023-04-26T08:52:16.3133333+00:00

Hi @Desmond Sindatry

Would you please provide us with an update on the status of your issue?
Desmond Sindatry 91 Reputation points

2023-05-24T18:36:46.9433333+00:00

Sorry, I was heads down on something else. I tried this out and still it does not work. My service principal has been granted all these API permissions including Application.ReadWrite.All (pic below). Then I tried the below steps to create a new app registration

az login --service-principal --tenant xxxx-3625-45b3-a430-9552373a0c2f -u xxxx-eb3b-4864-9512-5f403b41a037 -p xxxxx

az account set --subscription sas-ssod-sdmgt

az ad app create --display-name mas-observability-dev-hmr --available-to-other-tenants false

ERROR: Insufficient privileges to complete the operation.

What else am i missing ? How will the az ad app create using that service principal ?
CarlZhao-MSFT 46,456 Reputation points

2023-05-25T02:09:27.4866667+00:00

Hi @Desmond Sindatry

Please ask a new question about this and share the question link with me so I can research under the new question.

Thanks,

Carl

Answer 2

Rohit Kumar Sinha 1,346

Hi Desmod , You can use Application admin role and it should work fine User's image

If this is useful please click Accept Answer

Desmond Sindatry 91 Reputation points

2023-04-14T14:07:18.3966667+00:00

Thanks for the quick response. I don't find that here -> https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles Where did you find that ? any documentation that you can point me to .... Just to note this is not for a user . Its for a Service principal
Rohit Kumar Sinha 1,346 Reputation points

2023-04-14T14:47:38.45+00:00

Hi , This is available in Roles and Admin Section in Azure AD , check below screenshot for more reference.

You can add Service Principles as well without any issues. If the above is useful please click Accept Answer

Share via

What built-in role is required for a Service principal to create new app registrations

1 additional answer

Your answer