Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Creating Service Principal for Azure CDN is failing with Tenant Permission Error

Tags:

azure

azure-active-directory

azure-cdn

I'm trying to add Azure CDN as a service account, in order to connect it to KeyVault.
Following the official guide and other suggestions such as Can't add Microsoft.Azure.Cdn service principal to Key Vault access policies

However this command: 

New-AzureRmADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"

is giving me this error:

New-AzureRmADServicePrincipal : When using this permission, the backing application of the service principal being created must in the local tenant.

Even after I've set the context to the correct tenant using Set-AzureRmContext -TenantId xxx.
any help is appreciated!

like image 319
Santa Ynez Valley Avatar asked Jan 31 '20 12:01

Santa Ynez Valley

People also ask

When using this permission the backing application of the service principal being created must?

1 Answer. Show activity on this post. When using this permission, the backing application of the service principal being created must in the local tenant. is reported when you don't have sufficient permissions in AAD to add service principal for application defined in different tenant.

How do I assign permissions to a service principal?

In the Azure portal, navigate to your key vault and select Access policies. Select Add access policy, then select the key, secret, and certificate permissions you want to grant your application. Select the service principal you created previously. Select Add to add the access policy, then Save to commit your changes.

How do I give a tenant access to Azure?

From the Azure portal, open Microsoft Defender for Cloud. If you see the banner "You're seeing limited information." select it. In the detailed request form, select the desired role and the justification for why you need these permissions. Select Request access.

Who can create service principal in Azure?

A service principal is created when a user from that tenant has consented to the application's or API's use. ​This consent creates a one-to-many relationship between the multi-tenant application and its associated service principals.

1 Answers

The error

When using this permission, the backing application of the service principal being created must in the local tenant.

is reported when you don't have sufficient permissions in AAD to add service principal for application defined in different tenant. This is case of e.g. normal user, who does not have any specific Azure Active Directory Role. With Global Administrator or Application Administrator (or possibly other roles) the command would succeed (please note that these are AAD Administrative Roles, not RBAC roles which are used for resources).

The same error could be reported by az cli call to create principal:

az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8
like image 176
Michal Avatar answered Oct 19 '22 12:10

Michal
Sign in to Comment

Related questions

Xamarin Notification Push TodoItemManager
How do I implement a custom binding for Azure Functions?
My web api gives net:: ERR_CONNECTION_RESET error only from ajax client
Azure functions: how to bind query string parameters of http trigger function to SQL query of Cosmos DB
How to configure a Cosmos Db collection during deployment
The REST version of this request is not supported by this release of the Storage Emulator
Difference between application insights application types
The binding type 'serviceBusTrigger' is not registered error in azure functions c# with core tools 2
Connecting to private Amazon Redshift from PowerBI service
.Net Core 2.0 - Azure Active Directory - NGinX reverse Proxy - HTTPS
Azure Functions - can't be invoked from Azure WebJobs SDK
App Insights Telemetry not sending when offline
iframe downloads the html source instead of displaying it
Azure function is getting executed in local even RunOnStartup = false
Get the latest version of a certificate from an Azure key vault in an ARM template
How to deploy software builds from Azure DevOps to internal servers?
Is Managed Resource Group Mandatory for creating Azure Databricks
Disabling dependency logging for Application insights on Azure app service (Web app)
API Permission Issue while Azure App Registration
How can I get the "real" Azure App Service slot instance name?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!