Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Problem assigning 'privileged administrator roles' to Service Principals using the portal
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 73%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
Mickael di Monte
0
Reputation points
hello,
I noticed today that I am not able anymore to assign 'job function roles' or 'privileged administrator roles' to service-principals using the Azure Portal.
To do that, first I select the object I want to adjust the RBAC config for (in my case I want to assign the role 'Contributor' at the subscription level, then:
- I select 'Access Control (IAM)
- then, "+Add" > "Add role assignment"
- then, from the page "Privileged administrator roles" I choose "Contributor"
- then I click Next" to move to the selection of the subject I want to assign the role to
- then I make sure that the radio "User, group, or service principal" is the one selected
- then I click on "+Select members" which opens a panel to choose the subject(s)
- And finally, I notice that in the list of available members the service-principals I have created do not show up.
Note that when I use the "az" CLI commands I can successfully assign this role to the Service Principal.
Note also that I did this very same operation using the Portal just a few days ago and this worked just fine.
Is there anything I do wrong? Or is there a recent update applied which could explain this new (buggy) behavior?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
-
Mickael di Monte 0 Reputation points
2026-03-18T18:54:31.3766667+00:00 Also note that the user I am connected with and that I am using to try to assign this role to the service-principal is the owner of the subscription and does not have any 'condition' set which could limit which role or which service principal could be used in role assignments
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini 35,245 Reputation points Microsoft External Staff Moderator2026-03-18T19:56:11.12+00:00 Hello Mickael di Monte
Can you try to search the app with the complete name as checked in my environment, the service principal shows up:
Also can you please check with other Service principal names and let me know if the issue is with only one app?
-
Rukmini 35,245 Reputation points Microsoft External Staff Moderator
2026-03-19T21:00:52.1433333+00:00 Hello Mickael di Monte
Following up to see if the above provided information was helpful. If you have any further queries do let us know.
-
Mickael di Monte 0 Reputation points
2026-03-23T02:07:20.48+00:00 Hello Rukmini,
I have tried your proposal and, if instead of leaving the filter empty I document the name of the Service Principal, indeed I can see the SP proposed in the list.
This 'odd' behavior was not existing a few days (weeks?) ago. I supposed that we can consider it a bug. Would you have insights about when it could be fixed? -
Rukmini 35,245 Reputation points Microsoft External Staff Moderator
2026-03-23T16:30:57.33+00:00 Hello Mickael di Monte
We have not observed any bug regarding this issue! For SPs we have to search with name then it displays.
-
Rukmini 35,245 Reputation points Microsoft External Staff Moderator
2026-03-25T19:37:42.8433333+00:00 Hello Mickael di Monte
Can you please confirm if the issue is resolved?
Sign in to comment
Sign in to answer