Cannot create a Service Principal in AAD under Startup Account

Jonathan Baier 0 Reputation points
2025-03-01T02:36:20.4166667+00:00

I am trying to create a service principal to push a container image to Azure Container Registry. However whenever I run az ad sp create-for-rbac, I get the error "Insufficient privileges to complete the operation."

I don't seem to have access to the Azure AD Graph or any other way to to create the SP so not sure how to proceed.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Achraf Ben Alaya 1,311 Reputation points MVP
    2025-03-01T09:09:31.4366667+00:00

    Hello ,

    1 -First you need to check your permission :

    az role assignment list --assignee <your-user-id>

    2- if you don't have the right permission you need to ask an admin to create that spn for you :

    az ad sp create-for-rbac --name mySPN --role Contributor --scopes /subscriptions/<sub-id>

    3- if you want to push only to acr also you can use the managed identity instead of spn :

    you need first to assign that identity to your app service.

    later you need to assign Role ACR Push to that identity :

    az acr role assignment create --registry <acr-name> --assignee <identity-id> --role AcrPush

    https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication-managed-identity?wt.mc_id=MVP_328341

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.


  2. SrideviM 5,710 Reputation points Microsoft External Staff Moderator
    2025-03-06T06:45:26.48+00:00

    Hello Jonathan Baier,

    In addition to the answer posted by @Achraf Ben Alaya , I would like to add few more points regarding creation of Azure AD service principal.

    With Owner role, you will gain complete access on the subscription but not on the tenant or directory. If the following option is disabled in your tenant, normal users won't be able to create applications or service principals. To confirm this, check:

    Go to Azure Portal -> Microsoft Entra ID -> User Settings -> Users can register applications option

    enter image description here

    Initially, I too got same error when I tried to create service principal with user having Owner role but above option is disabled:

    
    az ad sp create-for-rbac --name "spname" --scopes $acrId --role acrpull 
    
    

    Response:

    enter image description here

    To create service principal in your case, get Users can register applications option enabled from your Admin:
    Go to Azure Portal -> Microsoft Entra ID -> User Settings -> Users can register applications option -> Yes -> Save

    enter image description here

    After making above change, when I tried to create service principal with same user having Owner role it worked:

    
    az ad sp create-for-rbac --name "spname" --scopes $acrId --role acrpull 
    
    

    Response:

    enter image description here

    Alternatively, you can also get yourself assigned with at least "Application Developer" Microsoft Entra role under the directory:

    enter image description here

    Go to Azure Portal -> Microsoft Entra ID -> Roles and administrators -> Select Application Developer -> Assignments -> Add assignment

    enter image description here

    Hope this helps to resolve the issue!


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    User's image

    If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

    Thanks,
    SrideviM


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.