Share via

Azure Service Principal owner cannot reset credentials with az cli

Repetti Pierangelo 20 Reputation points
2023-07-05T16:43:30.74+00:00

Hello,

as an Azure subscription admin I created a service principal and granted another user as Owner of the SP itself.

This user is trying to reset SP credentials with command

az ad sp credential reset --id <application id>

but he gets the error

Insufficient privileges to complete the operation

Why ? Isn't it enough being an SP Owner ?

Thank you

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
701 questions
Accepted answer
  1. Konstantinos Passadis 17,376 Reputation points MVP
    2023-07-05T16:48:52.9566667+00:00

    Hello @Repetti Pierangelo !

    Welcome to Microsoft QnA!

    You need

    Application administrator" or "Cloud Application Administrator".

    These are Azure AD Roles not Subscription Roles

    User's image

    Please try and come back with your feedback

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Konstantinos Passadis 17,376 Reputation points MVP
    2023-07-05T17:56:31.8166667+00:00

    Hello @Repetti Pierangelo !

    You can add the Role via Privileged Identity Management | Azure AD roles

    D you have Azure AD Premium P2 ?

    User's image

  2. Konstantinos Passadis 17,376 Reputation points MVP
    2023-07-05T18:30:21.5466667+00:00

    Hello @Repetti Pierangelo !

    I just validated the above instructions

    I am afraid there is no ption to bound a role to a specific SP without the Scoped Assingment via the Privileged Identity Management , wich requires P2

    Other ways could be a separate Function or a Script that only the Specific user can execute , and does the same Job!

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

  3. Konstantinos Passadis 17,376 Reputation points MVP
    2023-07-07T11:29:02.6566667+00:00

    Hello @Repetti Pierangelo !

    Well in that case we cannot make a Scoped Assigment

    So there is no other way , either you compromise with a Role that will manage All SPs , or look for an alternative

    An alternative for example could be a Powershell on Automation Account or Azure Functions which only the specific user can execute , and perform that single one line command to reset the SP credentials

    If you want to explore this option i suggest to close this thread , ( Please mark any answer that helped as Accepted) , and create a new one. Let me know your thoughts , i will happily assist you to build this as well as the whole community will be aware of the new request of yours !

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    0 comments