Describe the bug
Given Service Principal 1
And Service Principal 2
And Service Principal 2 is an Owner of Service Principal 1 (and its corresponding Application Registration)
When using Service Principal 2 to delete Service Principal 1 with az ad sp delete
Then Service Principal 1 should be deleted
But what happens is that we get: ERROR: Insufficient privileges to complete the operation.
This does not happen with Azure PowerShell (AzAd commandlets), which works as expected.
I suspect that this is to do with the deprecation of AAD Graph API. I don't have access to Fiddler etc; I'd otherwise check which API the CLI calls were going out to.
To Reproduce
Azure DevOps Yaml Pipeline - the PowerShell steps work; the AzCLI delete does not (and fails on rerun when the CLI does not have permission to patch the SP/AppReg objects - same issue).
The ServicePrincipalManager service connection has
- an assignment to Application Developer in AAD, and
- granted permission to Application.ReadWriteOwnedBy in Microsoft Graph
- (and Reader on a Subscription to allow the Service Connection to verify in Azure DevOps)
pool:
vmImage: ubuntu-latest
steps:
- task: AzurePowerShell@5
displayName: Create AppReg+Service Principal with AzAD PowerShell
inputs:
azureSubscription: 'Service Principal Manager'
ScriptType: 'InlineScript'
Inline: 'New-AzADServicePrincipal -DisplayName aadapp_apda_spmfix3'
azurePowerShellVersion: 'LatestVersion'
- task: AzurePowerShell@5
displayName: Get Service Principal with AzAd, Remove it with AzAd
inputs:
azureSubscription: 'Service Principal Manager'
ScriptType: 'InlineScript'
Inline: |
$ServicePrincipal = Get-AzAdServicePrincipal -DisplayName aadapp_apda_spmfix3
Write-Host $ServicePrincipal
$ServicePrincipalId = $ServicePrincipal.id
Write-Host $ServicePrincipalId
Remove-AzADServicePrincipal -ObjectId $ServicePrincipalId
azurePowerShellVersion: 'LatestVersion'
# ⬇ Works for create, but not update/delete
- task: AzureCLI@2
displayName: Create or Patch Service Principal with Azure CLI
inputs:
azureSubscription: 'Service Principal Manager'
scriptType: 'pscore'
scriptLocation: 'inlineScript'
inlineScript: 'az ad sp create-for-rbac --name aadapp_apda_spmfix1 --skip-assignment true'
- task: AzureCLI@2
displayName: Delete Service Principal with CLI
inputs:
azureSubscription: 'Service Principal Manager'
scriptType: 'pscore'
scriptLocation: 'inlineScript'
inlineScript: |
$fix1ObjectId = az ad sp list --display-name aadapp_apda_spmfix1 --query [].objectId --output tsv
Write-Host "Object Id is $($fix1ObjectId)"
Write-Host "Attempting to delete Service Principal"
az ad sp delete --id $fix1ObjectIdExpected behavior
Service Principal 2 (an Owner of Service Principal 1) should be able to delete Service Principal 1.
Environment summary
Tested in Azure DevOps pipeline.
Additional context
Describe the bug
Given Service Principal 1
And Service Principal 2
And Service Principal 2 is an Owner of Service Principal 1 (and its corresponding Application Registration)
When using Service Principal 2 to delete Service Principal 1 with
az ad sp deleteThen Service Principal 1 should be deleted
But what happens is that we get:
ERROR: Insufficient privileges to complete the operation.This does not happen with Azure PowerShell (AzAd commandlets), which works as expected.
I suspect that this is to do with the deprecation of AAD Graph API. I don't have access to Fiddler etc; I'd otherwise check which API the CLI calls were going out to.
To Reproduce
Azure DevOps Yaml Pipeline - the PowerShell steps work; the AzCLI delete does not (and fails on rerun when the CLI does not have permission to patch the SP/AppReg objects - same issue).
The ServicePrincipalManager service connection has
Expected behavior
Service Principal 2 (an Owner of Service Principal 1) should be able to delete Service Principal 1.
Environment summary
Tested in Azure DevOps pipeline.
Additional context