Dec 16 2019
- last edited on
Jul 24 2020
I have a Service Principal to which I've granted the following permissions:
Then I am using this service principal to test a .Net Core application which should create application registration and create some Azure resources in a Resource Group. I am using MSAL for communication with Microsoft Graph.
Previously I was assigning "Company Administrator" role to the Service Principal and the flow was working as intended. Now, instead of "Company Administrator" role I want to test "Cloud Application Administrator" role and see if it would suffice for my flow.
Unfortunately, I am having a problem when my application tries to create a Service Principal for an application registration. Application registration works without a problem (through GraphServiceClient.Applications.Request().AddAsync(...)) but Service Principal creation just after that fails (through GraphServiceClient.ServicePrincipals.Request().AddAsync(...)) with "Authorization_RequestDenied" code ("message": "Insufficient privileges to complete the operation."). As far as I understand this behavior is incorrect since "Cloud Application Administrator" role should have enough permissions to create a Service Principal, as defined here , particularly microsoft.directory/servicePrincipals/create.
Am I missing something about "Cloud Application Administrator" role ? Or is my assignment of the role to Service Principal somehow incorrect ?