Service Principal with "Cloud Application Administrator" role is not able to create another SP.

%3CLINGO-SUB%20id%3D%22lingo-sub-1068452%22%20slang%3D%22en-US%22%3EService%20Principal%20with%20%22Cloud%20Application%20Administrator%22%20role%20is%20not%20able%20to%20create%20another%20SP.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1068452%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20Service%20Principal%20to%20which%20I've%20granted%20the%20following%20permissions%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOwner%20on%20a%20subscription%2C%20done%20via%20role%20assignment%20(az%20role%20assignment%20create)%3C%2FLI%3E%0A%3CLI%3ECloud%20Application%20Administrator%2C%20done%20via%20role%20assignment%20through%20Azure%20Portal%20(Portal%20-%26gt%3B%20Roles%20and%20administrators%20-%26gt%3B%26nbsp%3BCloud%20application%20administrator%20-%26gt%3B%20Add%20assignment).%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20I%20am%20using%20this%20service%20principal%20to%20test%20a%20.Net%20Core%20application%20which%20should%26nbsp%3Bcreate%20application%20registration%20and%20create%20some%20Azure%20resources%20in%20a%20Resource%20Group.%20I%20am%20using%20MSAL%20for%20communication%20with%20Microsoft%20Graph.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPreviously%20I%20was%20assigning%20%22Company%20Administrator%22%20role%20to%20the%20Service%20Principal%20and%20the%20flow%20was%20working%20as%20intended.%20Now%2C%20instead%20of%26nbsp%3B%22Company%20Administrator%22%20role%20I%20want%20to%20test%26nbsp%3B%22Cloud%20Application%20Administrator%22%20role%20and%20see%20if%20it%20would%20suffice%20for%20my%20flow.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUnfortunately%2C%20I%20am%20having%20a%20problem%20when%20my%20application%20tries%20to%20create%20a%20Service%20Principal%20for%20an%20application%20registration.%20Application%20registration%20works%20without%20a%20problem%20(through%26nbsp%3BGraphServiceClient.Applications.Request().AddAsync(...))%20but%20Service%20Principal%20creation%20just%20after%20that%20fails%20(through%20GraphServiceClient.ServicePrincipals.Request().AddAsync(...))%20with%20%22Authorization_RequestDenied%22%20code%20(%22message%22%3A%20%22Insufficient%20privileges%20to%20complete%20the%20operation.%22).%20As%20far%20as%20I%20understand%20this%20behavior%20is%20incorrect%20since%26nbsp%3B%22Cloud%20Application%20Administrator%22%20role%20should%20have%20enough%20permissions%20to%20create%20a%20Service%20Principal%2C%20as%20defined%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-assign-admin-roles%23cloud-application-administrator-permissions%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%26nbsp%3B%2C%20particularly%26nbsp%3B%3CSPAN%3Emicrosoft.directory%2FservicePrincipals%2Fcreate%3C%2FSPAN%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAm%20I%20missing%20something%20about%26nbsp%3B%22Cloud%20Application%20Administrator%22%20role%20%3F%20Or%20is%20my%20assignment%20of%20the%20role%20to%20Service%20Principal%20somehow%20incorrect%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1068452%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

I have a Service Principal to which I've granted the following permissions:

  • Owner on a subscription, done via role assignment (az role assignment create)
  • Cloud Application Administrator, done via role assignment through Azure Portal (Portal -> Roles and administrators -> Cloud application administrator -> Add assignment).

 

Then I am using this service principal to test a .Net Core application which should create application registration and create some Azure resources in a Resource Group. I am using MSAL for communication with Microsoft Graph.

 

Previously I was assigning "Company Administrator" role to the Service Principal and the flow was working as intended. Now, instead of "Company Administrator" role I want to test "Cloud Application Administrator" role and see if it would suffice for my flow.

 

Unfortunately, I am having a problem when my application tries to create a Service Principal for an application registration. Application registration works without a problem (through GraphServiceClient.Applications.Request().AddAsync(...)) but Service Principal creation just after that fails (through GraphServiceClient.ServicePrincipals.Request().AddAsync(...)) with "Authorization_RequestDenied" code ("message": "Insufficient privileges to complete the operation."). As far as I understand this behavior is incorrect since "Cloud Application Administrator" role should have enough permissions to create a Service Principal, as defined here , particularly microsoft.directory/servicePrincipals/create.

 

Am I missing something about "Cloud Application Administrator" role ? Or is my assignment of the role to Service Principal somehow incorrect ?

0 Replies