New-AzADAppCredential: Service principal that is an owner of the app registration cannot create credential #19233
Description
Description
New-AzADAppCredential works when running using an AAD account that is an owner of a given app registration.
Service principals can be made Owners of app registrations via Azure CLI https://docs.microsoft.com/en-us/cli/azure/ad/app/owner?view=azure-cli-latest
New-AzADAppCredential does not work when connected via a service principal although the service principal is made an owner of the app registration.
Issue script & Debug output
Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant "<tenant id>"
$StartDate = Get-Date
$EndDate = $StartDate.AddHours(1)
$ClientSecret = New-AzADAppCredential -ObjectId "<object id of enterprise application of app registration>" -StartDate $startDate -EndDate $endDate -Debug
__________________________________________________________
DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
Confirm
Are you sure you want to perform this action?
Performing the operation "Add-AzADApplicationPassword_AddExpanded" on target "Call remote 'ApplicationsAddPassword'
operation".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
DEBUG: [CmdletProcessRecordAsyncStart]: Created new QosEvent for command 'Add-AzADApplicationPassword_AddExpanded'
DEBUG: CmdletProcessRecordAsyncStart:
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /applications/<object id of enterprise application of app registration>/microsoft.graph.addPassword
DEBUG: RequestCreated: /v1.0/applications/<object id of enterprise application of app registration>/microsoft.graph.addPassword
DEBUG: HeaderParametersAdded:
DEBUG: BodyContentSet:
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
POST
Absolute Uri:
https://graph.microsoft.com/v1.0/applications/<object id of enterprise application of app registration>/microsoft.graph.addPassword
Headers:
x-ms-unique-id : 55,56,57
x-ms-client-request-id : e58d61ee-0414-417d-9a6d-1952d42ca518
CommandName : Az.MSGraph.internal\Add-AzADApplicationPassword
FullCommandName : Add-AzADApplicationPassword_AddExpanded
ParameterSetName : __AllParameterSets
User-Agent : AzurePowershell/v7.3.0,PSVersion/v7.2.6,Az.MSGraph/5.4.0
Body:
{
"passwordCredential": {
"endDateTime": "2022-08-15T18:26:23.9715463+01:00",
"keyId": "<key id>",
"startDateTime": "2022-08-15T17:26:23.9715463+01:00"
}
}
DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Cache-Control : no-cache
Transfer-Encoding : chunked
Strict-Transport-Security : max-age=31536000
request-id : bd10f908-4bfc-4475-856b-db91b8ce98d4
client-request-id : bd10f908-4bfc-4475-856b-db91b8ce98d4
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"UK South","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"LN2PEPF00003306"}}
x-ms-resource-unit : 1
Date : Mon, 15 Aug 2022 16:26:27 GMT
Body:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2022-08-15T16:26:27",
"request-id": "bd10f908-4bfc-4475-856b-db91b8ce98d4",
"client-request-id": "bd10f908-4bfc-4475-856b-db91b8ce98d4"
}
}
}
DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:
Add-AzADApplicationPassword_AddExpanded: C:\Users\<user name>\Documents\PowerShell\Modules\Az.Resources\5.4.0\MSGraph.Autorest\custom\New-AzADAppCredential.ps1:279:17
Line |
279 | … Az.MSGraph.internal\Add-AzADApplicationPassword @PSBoundP …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Insufficient privileges to complete the operation.
DEBUG: [Finally]: Getting exception 'Microsoft.Azure.Commands.Common.Exceptions.AzPSCloudException: InternalException' from response
DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: AzureQoSEvent: Module: Az.MSGraph:5.4.0; CommandName: Add-AzADApplicationPassword_AddExpanded; PSVersion: 7.2.6; IsSuccess: False; Duration: 00:00:00; Exception: InternalException;
DEBUG: Finish sending metric.
DEBUG: CmdletEndProcessing:Environment data
Name Value
---- -----
PSVersion 7.2.6
PSEdition Core
GitCommitId 7.2.6
OS Microsoft Windows 10.0.19044
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0Module versions
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 2.9.0 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Cl…
Script 5.4.0 Az.Resources {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzD…Error output
HistoryId: 33
Message : [Authorization_RequestDenied] : Insufficient privileges to complete the operation.
StackTrace :
Exception : System.Exception
InvocationInfo : {Add-AzADApplicationPassword_AddExpanded}
Line : Az.MSGraph.internal\Add-AzADApplicationPassword @PSBoundParameters
Position : At C:\Users\<user name>\Documents\PowerShell\Modules\Az.Resources\5.4.0\MSGraph.Autorest\custom\New-AzADAppCredential.ps1:279 char:17
+ … Az.MSGraph.internal\Add-AzADApplicationPassword @PSBoundP …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId : 33