Menu
I'm trying to add Azure CDN as a service account, in order to connect it to KeyVault.
Following the official guide and other suggestions such as Can't add Microsoft.Azure.Cdn service principal to Key Vault access policies
However this command:
New-AzureRmADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"
is giving me this error:
New-AzureRmADServicePrincipal : When using this permission, the backing application of the service principal being created must in the local tenant.
Even after I've set the context to the correct tenant using Set-AzureRmContext -TenantId xxx.
any help is appreciated!
319
1 Answer. Show activity on this post. When using this permission, the backing application of the service principal being created must in the local tenant. is reported when you don't have sufficient permissions in AAD to add service principal for application defined in different tenant.
In the Azure portal, navigate to your key vault and select Access policies. Select Add access policy, then select the key, secret, and certificate permissions you want to grant your application. Select the service principal you created previously. Select Add to add the access policy, then Save to commit your changes.
From the Azure portal, open Microsoft Defender for Cloud. If you see the banner "You're seeing limited information." select it. In the detailed request form, select the desired role and the justification for why you need these permissions. Select Request access.
A service principal is created when a user from that tenant has consented to the application's or API's use. This consent creates a one-to-many relationship between the multi-tenant application and its associated service principals.
The error
When using this permission, the backing application of the service principal being created must in the local tenant.
is reported when you don't have sufficient permissions in AAD to add service principal for application defined in different tenant. This is case of e.g. normal user, who does not have any specific Azure Active Directory Role. With Global Administrator or Application Administrator (or possibly other roles) the command would succeed (please note that these are AAD Administrative Roles, not RBAC roles which are used for resources).
The same error could be reported by az cli call to create principal:
az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
