New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure PowerShell task: Insufficient privileges to complete the operation #7710
Comments
@Jaffacakes82 The azure powershell task, logs into azure account using -ServicePrincipal as authorization scheme. Our understanding is you cannot access other Service Principals unless your selected service principal has appropriate permissions or you login as user. |
@Jaffacakes82 You can add permissions to your app in ADD. In the portal go to your app, settings, Required Permissions. Click on Add, select API and select permission. Can you try with permssions as under: |
@SumiranAgg thanks for your response, I will try and add some of these permissions and let you know how it goes. Please can you confirm my understanding that the Azure PowerShell task attempts to login as the Service Principal created in Azure AD that gets added when creating a service endpoint from a VSTS project to an Azure subscription? |
@Jaffacakes82 Yes that is correct. Also you might have multiple service endpoints in your VSTS project. The task logs-in with the service endpoint you select in the task under "Azure Subscription". |
@SumiranAgg thanks for the clarification. Can you also clarify what the delegated permissions does? For example, If I am a Global Administrator in the directory, does that delegate those same permissions to the Service Principal? |
@SumiranAgg I added the following permissions: Read/Write Directory Data to the Windows Azure AD API This still didn't grant the Service Principal access to read AD data. I will have a chat with my IT team and see if they're happy to grant the delegated permissions/all other permissions although I imagine they will shout at me 😄. |
@Jaffacakes82 Just for my understanding, did you add permissions to the app corresponding to service principal used in the task? You can find your add by using the service principal ID in search field for "App Registrations" in AAD. |
@SumiranAgg Yes, I clicked 'Manage Service Principal' in the VSTS project settings for the appropriate subscription and added the permissions there. |
@Jaffacakes82 I recreated the scenario and It worked with only below permissions for me: |
Please use this document for reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#configure-a-client-application-to-access-web-apis |
Very strange, it still doesn't work for me. I have reverted to using a service account in our Azure AD to grant the key vault access as opposed to the VSTS service principal and this has resolved my issue. |
@Jaffacakes82 Glad that you were able to resolve it. |
Can this be re-opened please as having the exact same issue, and not able to revert to key vault access to do what I am doing. |
Same still have this error tho i gave the app permission the rights |
Environment
Server - VSTS
Agent - Private
Issue Description
I have an Azure PowerShell task (Azure PowerShell script: InlineScript) that executes a very simple inline script
Get-AzureRmADServicePrincipal -SearchString "<name-of-app>"
. The task results in an error stating: Insufficient privileges to complete the operation.I have granted the Service Principal used to connect to the Azure subscription from VSTS the following permission:
With no success. Are there other permissions that need adding to the Service Principal?
Error logs
Thanks in advance for your help.
The text was updated successfully, but these errors were encountered: