Question about service principal and AD security

Rene 1 Reputation point
2021-03-20T04:20:24.713+00:00

A short explanation about situation: A company has an Azure tenant with Active directory integration. The AD is maintained by system administrators. An Azure dev/test subscription is created to deploy workloads by development engineers. The engineers have owner role on the subscription.

When creating certain workloads or Azure Devops service connections, service principals can be automatically created to allow to do certain tasks. For example pull an image from a Azure registry by workload X. This can be initiated using the interface of the portal or Azure devops.

The problem occurres when for for example a service connection in Azure Devops is being created by an owner of the subscription, but is not system administrator. The error reported that the user doesnt have the permission to setup the service principal.

In the case of this company, another department is involved which means days delay. Is it possible to setup a Azure subscription with AD integration where subscription owners, which are not system administrators, can create service principals?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,428 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rahul Metangale 106 Reputation points
    2021-03-22T08:19:25.477+00:00

    Hi @Rene ,

    Unfortunately it is not possible for subscription owner to create applications within Azure AD. User belonging to Application Administrator role can create service principal. But then in this case user will have more access than they need.

    Thanks,
    Rahul Metangale

    0 comments