Forbidden errors when trying to update a Managed Identity SPN

[baswijdenes]

I read this issue and I have the same:
#22700

I cannot update an SPN created for Managed Identities because I'm not the owner, but unfortunately I cannot add an owner even when I'm global Admin. I created a seperate app registration and tried it with application permissions but that doesn't work either.

Module:
I’m using AzureAd module version 2.0.2.135

Add-AzureADServicePrincipalOwner : Error occurred while executing AddServicePrincipalOwner
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: 74ea1d43-4be1-48a9-bb66-ad7a5490c610
DateTimeStamp: Wed, 16 Jun 2021 09:23:18 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed

Post request (with Optimized.Mga module version 0.0.2.1)

$JSON = [PSCustomObject]@{
"@odata.id" = $ObjectID
} | ConvertTo-Json

$PostUri = 'https://graph.microsoft.com/beta/servicePrincipals/{0}/owners/$ref' -f $Ap.Id

Post-Mga -URL $PostUri -InputObject $json
The remote server returned an error: (403) Forbidden.
At C:\Users\BasWijdenes\OneDrive\Documents\WindowsPowerShell\Modules\Optimized.Mga\0.0.2.1\Optimized.Mga.psm1:380 char:17

•             throw $_.Exception.Message
  

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OperationStopped: (The remote serv...403) Forbidden.:String) [], RuntimeException
  • FullyQualifiedErrorId : The remote server returned an error: (403) Forbidden.

Edited: Added doc metadata

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 72861cc1-7081-cf6e-b7f9-e700a16faa9a
• Version Independent ID: c870872d-0559-6b77-280f-f478e8c84776
• Content: Managed identities for Azure resources
• Content Source: articles/active-directory/managed-identities-azure-resources/overview.md
• Service: active-directory
• Sub-service: msi
• GitHub Login: @barclayn
• Microsoft Alias: barclayn

[AjayKumar-MSFT]

@baswijdenes, Thanks for the feedback! We are taking a look into this and will get back to you soon.

[shashishailaj]

@baswijdenes We are checking on this internally and will update the thread.

[baswijdenes]

@baswijdenes We are checking on this internally and will update the thread.

Can Microsoft make me an owner of the application* for now? So I can continue with my work

[shashishailaj]

@baswijdenes We apologize we have not been ale to solve your issue in a timely manner. We are not able to change any customer's data directly from the backend hence we would not have been able to help you with your request of making you owner of the application. We would like to understand more at a deeper level for this problem and take this offline to help you further. If you are still facing this issue , please send an email to azcommunity [at] microsoft [dot] com with your azure subscription ID referencing this thread with a subject line "ATTN:shashi" and I will help you further on this. We will help you with alternate support option on this issue.

Thank you.