Guest user with "Application Administrator" role can't create service principles

Dimitar Grozev 60 Reputation points

Hello all,

I am a contractor for client and I have to create service principles in order to deploy code and infrastructure from Azure DevOps to the portal. I asked the client to assign the "Application Administrator" role to my guest user in their tenant, which didn't work. So I then asked them to assign the "Application Developer" which also didn't resolve the issue. Eventually I asked if I could be a "Global Admin" but that was too much access so they denied.

So my question is if there is some global policy or some setting or option which may disable creating service principles despite having all the necessary roles.


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,189 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 98,676 Reputation points MVP

    Guest accounts are restricted by default, and even though you can assign admin roles to them, not all functionalities will work as expected. It's best to use a regular ("member") user account, if you need to create them manually or via delegate permissions, or ask for the provisioning of a service principal in order to do things unattended.