Share via

Create a Service Principal over acure CLI

Studer Christian 21 Reputation points
2022-07-27T06:18:44.983+00:00

Build Infrastructure - Terraform Azure Example. --> https://learn.hashicorp.com/tutorials/terraform/azure-build

Christians-MacBook-Pro:~ christian$ az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/<5aa867eb-55db-4b2c-a9c9-3d6c94c46894"
Directory permission is needed for the current user to register the application. For how to configure, please refer 'https://learn.microsoft.com/azure/azure-resource-manager/resource-group-create-service-principal-portal'. Original error: Insufficient privileges to complete the operation.

How can I get the needed permission to the current user to register the application ?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,653 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,601 Reputation points
    2022-07-27T11:11:52.84+00:00

    Hi @Studer Christian • Thank you for reaching out.

    As specified in the Azure AD built-in roles document, below are the Directory Roles that have permissions to create service principals.

    1. Application Administrator
    2. Application Developer
    3. Cloud Application Administrator
    4. Directory Synchronization Accounts
    5. Hybrid Identity Administrator.

    In order to get access to any of these roles, you need to ask the Global Administrator of your tenant to assign the current account with one of the above roles. I would suggest you choose to go with the Cloud Application Administrator role as it is the least privileged role out of all five roles and includes permissions to create service principals as well. For this purpose, you need to navigate to:

    Azure portal > Azure Active Directory > Roles and Administrators> Cloud Application Administrator > Assignments > Add Assignments > Add required user.

    If the global administrator of your tenant has configured PIM and made you eligible for one of these roles, you can activate the role by yourself as well. the instructions are documented here: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rahul Singh (PGT) 1 Reputation point
    2022-12-13T14:36:17.49+00:00

    How to create a Kubernetes using AKS without using Service Principal?

  2. Adarsh Domakonda 0 Reputation points
    2023-11-09T11:29:35.9066667+00:00

    Hi Friends !!!

    I got the above error when I have used my company email for Microsoft Azure free trail subscription. As companies doesn't permit us to access Azure Active Directory (Now Microsoft Entra ID) we will end no where to make the above command successful.

    Please use your own personal email for Azure free trail instead of company email.

    Cheers,
    Adarsh

    0 comments
  3. Fredy Estepa 0 Reputation points
    2024-07-23T19:57:56.0466667+00:00

    You can follow the following steps:

    1. Create a new Tenant: https://learn.microsoft.com/en-us/entra/fundamentals/create-new-tenant
    2. Associate your azure subscription with the new tenant: https://learn.microsoft.com/en-us/entra/fundamentals/how-subscriptions-associated-directory

    After that you should be able to manage your account in your own tenant

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.