What built-in role is required for a service principal to create an "APP Registration" ? I looked at the built-in roles and did not find one. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles Any ideas ?

Hi @ Desmond Sindatry Creating an application registration does not require a built-in role, you need to grant the Application.ReadWrite.All application permission to your service principal, then use the unattended client credentials flow to obtain an access token and call the create application API endpoint. Hope this helps. If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment .

Hi Desmod , You can use Application admin role and it should work fine If this is useful please click Accept Answer

What built-in role is required for a Service principal to create new app registrations

Accepted answer

CarlZhao-MSFT 40,311 Reputation points

2023-04-17T03:00:29.8366667+00:00

Hi @Desmond Sindatry
Creating an application registration does not require a built-in role, you need to grant the Application.ReadWrite.All application permission to your service principal, then use the unattended client credentials flow to obtain an access token and call the create application API endpoint.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
Please sign in to rate this answer.
CarlZhao-MSFT 40,311 Reputation points

2023-04-19T03:00:14.2166667+00:00

Hi @Desmond Sindatry

I am checking to see if this issue is resolved or not. If you have any concerns, please feel free to reply.

Desmond Sindatry 46 Reputation points

2023-04-19T13:30:30.7133333+00:00

These steps look good. however I am, not using graph api. I am using az ad commands to create the app registration.

CarlZhao-MSFT 40,311 Reputation points

2023-04-20T06:21:09.9933333+00:00

Hi @Desmond Sindatry

This is no different, the Azure CLI uses MSAL as an authentication library, and its underlying is still implemented through the graph API. So when you log in with a service principal and create a new application registration, the service principal must be granted Application.ReadWrite.All application permissions.

CarlZhao-MSFT 40,311 Reputation points

2023-04-26T08:52:16.3133333+00:00

Hi @Desmond Sindatry

Would you please provide us with an update on the status of your issue?

Desmond Sindatry 46 Reputation points

2023-05-24T18:36:46.9433333+00:00

Sorry, I was heads down on something else. I tried this out and still it does not work. My service principal has been granted all these API permissions including Application.ReadWrite.All (pic below). Then I tried the below steps to create a new app registration

az login --service-principal --tenant xxxx-3625-45b3-a430-9552373a0c2f -u xxxx-eb3b-4864-9512-5f403b41a037 -p xxxxx

az account set --subscription sas-ssod-sdmgt

az ad app create --display-name mas-observability-dev-hmr --available-to-other-tenants false

ERROR: Insufficient privileges to complete the operation.

What else am i missing ? How will the az ad app create using that service principal ?

CarlZhao-MSFT 40,311 Reputation points

2023-05-25T02:09:27.4866667+00:00

Hi @Desmond Sindatry

Please ask a new question about this and share the question link with me so I can research under the new question.

Thanks,

Carl
Sign in to comment

Share via

What built-in role is required for a Service principal to create new app registrations

1 additional answer