'Azure - Creating Service Principal with Tenant Admin Permission

I am trying to provision Azure AD Domain Service by executing an ARM template in terrafrom. To let terrafrom access Azure, I have created a service principal using below script :

az ad sp create-for-rbac --role="Owner" --scopes="/subscriptions/xxxxxxxx-xxxxxfca38"

and then gave the Client ID and Secret to terrafrom.

The problem is, when I execute the script azure gives me an error saying : 

code":"BadRequest", "message": "The user xxxxx-80b is not the tenant admin of tenant xxxxxx-xxxxxfca38.

However, when I login to Azure portal using my email and password, I can create AZ AD Domain Service without any error.

How do I create a service principal with right privilege for performing such operation? I initially thought --role="Owner" should be sufficient.

Alternatively, it is possible to get Client ID and Secret of the same account which I use to login to Azure portal?

P.S : I am using a personal account in azure which is not linked to any organization AD.

azureazure-active-directory


Solution 1:[1]

This is the complete answer:

You get the "Bad Request" error because the Service Principle needs to have Global Admin Rights in the Tenant.

For the complete TF Template to run you need the correct permissions at both the Tenant and Subscription level.

  • Subscription: Owner
  • Tenant: Global Admin

Joy already showed how to set the Subscription Owner property so I won't repeat it here but you do need to make sure you are in the correct Directory/Tenant context if you have more than one.

Assigning the Global Admin Role to a Service Principle:

In the portal navigate to:

Azure Active Directory
  -> Roles and Administrators
   -> Search for and select "Global Administrator"
    -> Click on "Global Administrator"

At this point you will see a list of all users and Service Principles currently assigned this role.

Here is the non-obvious part. When you click on "Add Assignments" a blade pops up on the right with a list of the AD users and groups in the current Tenant but no Service Principles. You need to search for the SP by name - it will pop up in the search results. Select it like you would a user and "Add". The SP will now show up in the earlier list of users assigned the GA role.

Once I did this the Terraform Template was able to create the AAD DS instance.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Karl Vietmeier

Related Questions