Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Service Principal with "Cloud Application Administrator" role is not able to create another SP.

Microsoft

I have a Service Principal to which I've granted the following permissions:

  • Owner on a subscription, done via role assignment (az role assignment create)
  • Cloud Application Administrator, done via role assignment through Azure Portal (Portal -> Roles and administrators -> Cloud application administrator -> Add assignment).

 

Then I am using this service principal to test a .Net Core application which should create application registration and create some Azure resources in a Resource Group. I am using MSAL for communication with Microsoft Graph.

 

Previously I was assigning "Company Administrator" role to the Service Principal and the flow was working as intended. Now, instead of "Company Administrator" role I want to test "Cloud Application Administrator" role and see if it would suffice for my flow.

 

Unfortunately, I am having a problem when my application tries to create a Service Principal for an application registration. Application registration works without a problem (through GraphServiceClient.Applications.Request().AddAsync(...)) but Service Principal creation just after that fails (through GraphServiceClient.ServicePrincipals.Request().AddAsync(...)) with "Authorization_RequestDenied" code ("message": "Insufficient privileges to complete the operation."). As far as I understand this behavior is incorrect since "Cloud Application Administrator" role should have enough permissions to create a Service Principal, as defined here , particularly microsoft.directory/servicePrincipals/create.

 

Am I missing something about "Cloud Application Administrator" role ? Or is my assignment of the role to Service Principal somehow incorrect ?

1 Reply
Hello, I'm experiencing the exact same issue (just going via CLI). Is there any update on this? Any mod that can help out please?