Question about service principal and AD security

Rene 1 Reputation point
2021-03-20T04:20:24.713+00:00

A short explanation about situation: A company has an Azure tenant with Active directory integration. The AD is maintained by system administrators. An Azure dev/test subscription is created to deploy workloads by development engineers. The engineers have owner role on the subscription.

When creating certain workloads or Azure Devops service connections, service principals can be automatically created to allow to do certain tasks. For example pull an image from a Azure registry by workload X. This can be initiated using the interface of the portal or Azure devops.

The problem occurres when for for example a service connection in Azure Devops is being created by an owner of the subscription, but is not system administrator. The error reported that the user doesnt have the permission to setup the service principal.

In the case of this company, another department is involved which means days delay. Is it possible to setup a Azure subscription with AD integration where subscription owners, which are not system administrators, can create service principals?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,625 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Rahul Metangale 101 Reputation points
    2021-03-22T08:19:25.477+00:00

    Hi @Rene ,

    Unfortunately it is not possible for subscription owner to create applications within Azure AD. User belonging to Application Administrator role can create service principal. But then in this case user will have more access than they need.

    Thanks,
    Rahul Metangale

    No comments