How to add an enterprise app from an existing multiple tenants app register with Azure CLI or Powershell?

Tran Anh Xuan 20 Reputation points
2024-06-22T02:12:07.8766667+00:00

I have a multi-tenant application deployed and I want to add it to another tenant using azure cli or powershell.

I followed the instructions here https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/create-service-principal-cross-tenant?pivots=azure-cli, but got the error "Insufficient privileges to complete the operation".

What did I do wrong and what additional permissions do I need to be able to run it?

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
37,598 questions
0 comments No comments
{count} votes

Accepted answer
  1. William 620 Reputation points
    2024-06-22T02:38:56.5066667+00:00

    Adding an enterprise app from an existing multi-tenant app registration to another tenant involves creating a service principal in the target tenant.

    The error message "Insufficient privileges to complete the operation" typically indicates that your account lacks the necessary permissions to create a service principal in the target tenant. By ensuring you have the required permissions and using either the Azure AD or Microsoft Graph PowerShell modules, you should be able to successfully create a service principal for your multi-tenant application in the target tenant.

    Steps to Create a Service Principal in Another Tenant

    Connect to the Target Tenant:

    • Use the Azure AD PowerShell module or Azure CLI to connect to the target tenant. For PowerShell, replace <TenantId> with the GUID of the target tenant:
       powershellCopy code
       Connect-AzureAD -TenantId "<TenantId>"
    

    Create the Service Principal:

      - Run the following command to create the service principal using the application ID of your multi-tenant application:
      
      ```yaml
      powershellCopy code
      New-AzureADServicePrincipal -AppId "<ApplicationId>"
      ```
      
         - Replace `<ApplicationId>` with the client/application ID of your multi-tenant application.
         
         **Alternatively, Use Microsoft Graph:**
         
            - If you encounter issues, consider using the Microsoft Graph PowerShell module. You can create the application directly using:
            
            ```yaml
            powershellCopy code
            New-MgServicePrincipal -AppId "<ApplicationId>"
            ```
            
            **Check Permissions:**
            
               - Ensure that your account has the necessary permissions in the target tenant. You might need to be a global administrator or have specific permissions to create service principals.
               
               **Update AzureAD Module:**
               
                  - Make sure you’re using an up-to-date version of the AzureAD PowerShell module. If needed, update the module using:
                  
                  ```yaml
                  powershellCopy code
                  Update-Module -Name AzureAD -Force
                  ```
                  
    

    Remember to replace <TenantId> and <ApplicationId> with the actual values from your environment. For more detailed instructions official Microsoft documentation.

    If this answer solves your issue, please vote for it so other community members know that this is a quality answer.


0 additional answers

Sort by: Most helpful