![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 88%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFO%3C/text%3E%3C/svg%3E)
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,447 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 9%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVR%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello François Girinon,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
I understand that you are having "Insufficient privileges" error when creating service principal with az ad sp create-for-rbac.
This is a common scenario due to Azure’s dual-layer permission model, which requires both Azure AD and Azure RBAC permissions to properly configure service principals.
The below steps ensure your service principal is correctly configured with the appropriate access, enabling smooth integration with services like Kubernetes CSI drivers.
- To begin, check your account has the necessary Azure AD role to create service principals by:
- Navigate to Azure Portal > Azure Active Directory > Roles and administrators and confirm that your user is assigned one of the following roles: Application Administrator, Cloud Application Administrator, Privileged Role Administrator, or Global Administrator.
- These roles are essential for managing app registrations.
- Next, verify your Azure RBAC role to ensure you can assign roles to the service principal. Run the following command to check your current role assignments using bash command:
az role assignment list --assignee <your-user-id>- You should have either the Owner or User Access Administrator role at the subscription or resource group level where you're assigning permissions. For more information, refer to the https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps
- Additionally, check the App Registration Policy under Azure AD > User settings > App registrations. Make sure the setting "Users can register applications" is enabled. If it’s disabled, you’ll need a Global Administrator to turn it on. This setting is crucial for allowing users to create app registrations.
- If you find that you lack the necessary permissions, you’ll need to request assistance from an administrator. They can create the service principal and assign the required role using the following bash command:
az ad sp create-for-rbac --name "k3s-csi-driver" --role Contributor --scope /subscriptions/{subid}/resourceGroups/{resource} - https://learn.microsoft.com/en-us/cli/azure/azure-cli-sp-tutorial-1?view=azure-cli-latest
- https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal
I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.