Cannot create a Service Principal in AAD under Startup Account

Question

Cannot create a Service Principal in AAD under Startup Account

Jonathan Baier 0

I am trying to create a service principal to push a container image to Azure Container Registry. However whenever I run az ad sp create-for-rbac, I get the error "Insufficient privileges to complete the operation."

I don't seem to have access to the Azure AD Graph or any other way to to create the SP so not sure how to proceed.

2 answers

Your answer

Answer 1

Achraf Ben Alaya 1,311 MVP

Hello ,

1 -First you need to check your permission :

az role assignment list --assignee <your-user-id>

2- if you don't have the right permission you need to ask an admin to create that spn for you :

az ad sp create-for-rbac --name mySPN --role Contributor --scopes /subscriptions/<sub-id>

3- if you want to push only to acr also you can use the managed identity instead of spn :

you need first to assign that identity to your app service.

later you need to assign Role ACR Push to that identity :

az acr role assignment create --registry <acr-name> --assignee <identity-id> --role AcrPush

https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication-managed-identity?wt.mc_id=MVP_328341

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-03-04T12:05:48.9966667+00:00

Hi Jonathan Baier,

Thank you for posting your query on Microsoft Q&A.

In addition to the answer posted by @Achraf Ben Alaya , I would like to few more points regarding the configuration of Azure AD service principal and provide RBAC role.

While executing these commands, kindly make sure you have a prominent role of Application admin or global admin to configure a service principal.

To provide RBAC role for your service principal, you should have User Access Administrator or Role Based Access Control Administrator permissions on the scope (Subscription or Resource).

If you don't have these roles or permissions, you will not be able to add a role to the service principal. Here is the Microsoft document you can use as reference: Create a service principal.

Additional information on using service principal authentication with container registry: Azure Container Registry authentication with service principals

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the above answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment"
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-03-05T04:04:30.23+00:00

Hi Jonathan Baier,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Jonathan Baier 0 Reputation points

2025-03-05T06:18:15.7433333+00:00

Thank you, Achraf. Yes the admin is able to create this for me and those steps work, but I am still not sure why my user is being blocked.

Kancharla, I have the Owner role and we have removed the exception preventing User Access Administrator or Role Based Access Control Administrator. But I still get permission denied. Do I need to grant these role explicitly?
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-03-06T04:44:08.0833333+00:00

Hi Jonathan Baier,

Thanks for your response,

I believe you have an access for subscription, but to create service principal you need to have admin access (Global administrator or Application admin), because of which you may be blocked in configuring the SP with required role.

Thanks,

Saiteja K.
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-03-07T03:41:42.74+00:00

Hi Jonathan Baier,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-03-10T04:00:01.48+00:00

Hi Jonathan Baier,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 2

Hello Jonathan Baier,

In addition to the answer posted by @Achraf Ben Alaya , I would like to add few more points regarding creation of Azure AD service principal.

With Owner role, you will gain complete access on the subscription but not on the tenant or directory. If the following option is disabled in your tenant, normal users won't be able to create applications or service principals. To confirm this, check:

Go to Azure Portal -> Microsoft Entra ID -> User Settings -> Users can register applications option

enter image description here

Initially, I too got same error when I tried to create service principal with user having Owner role but above option is disabled:


az ad sp create-for-rbac --name "spname" --scopes $acrId --role acrpull

Response:

enter image description here

To create service principal in your case, get Users can register applications option enabled from your Admin:
Go to Azure Portal -> Microsoft Entra ID -> User Settings -> Users can register applications option -> Yes -> Save

enter image description here

After making above change, when I tried to create service principal with same user having Owner role it worked:


az ad sp create-for-rbac --name "spname" --scopes $acrId --role acrpull

Response:

enter image description here

Alternatively, you can also get yourself assigned with at least "Application Developer" Microsoft Entra role under the directory:

enter image description here

Go to Azure Portal -> Microsoft Entra ID -> Roles and administrators -> Select Application Developer -> Assignments -> Add assignment

enter image description here

Hope this helps to resolve the issue!

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

User's image

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Thanks,
SrideviM

SrideviM 5,710 Reputation points Microsoft External Staff Moderator

2025-03-07T03:45:57.63+00:00

Hello Jonathan Baier,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
SrideviM 5,710 Reputation points Microsoft External Staff Moderator

2025-03-09T02:08:30.1233333+00:00

Hello Jonathan Baier,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

Cannot create a Service Principal in AAD under Startup Account

2 answers

Your answer