Service Principals I create are not being created as mine
I've executed the code below to create a service principal and then list all of my service principals. However, the service principal I just created is not listed.
When I ran those CLI commands in my environment, I too got same response like this:
az ad sp create-for-rbac
az ad sp list --show-mine
Response:
This happens if the signed-in user has Admin roles like Global Administrator of the tenant, that won't be added as Owner of newly created service principal which can be checked here in Enterprise applications:
But when I ran the same commands by signing in with new user account not having Global Administrator access, got response successfully like this:
az ad sp create-for-rbac
az ad sp list --show-mine
Response:
In such cases where you are logging with Admin accounts, you can make use of below bash script that adds signed-in user as Owner of newly created service principal explicitly:
sp_create=$(az ad sp create-for-rbac)
echo "Output of 'az ad sp create-for-rbac':"
echo "$sp_create"
appId=$(echo $sp_create | jq -r '.appId')
# Retrieve the objectId of the service principal
spObjectId=$(az ad sp show --id $appId --query id --output tsv)
echo "Service Principal Object ID: $spObjectId"
# Get the objectId for the signed-in user
ownerObjectId=$(az ad signed-in-user show --query id -o tsv)
echo "Owner Object ID: $ownerObjectId"
# Add the signed-in user as an owner to the service principal
add_owner_response=$(az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/$spObjectId/owners/\$ref -b "{\"@odata.id\": \"https://graph.microsoft.com/beta/directoryObjects/$ownerObjectId\"}")
echo "Owner added successfully to the service principal."
Response:
To confirm that, I checked the same in Portal where signed-in user is added as Owner of service principal like this:
When I ran the same command now to list applications owned by signed-in user having Admin access, I got response with expected results:
az ad sp list --show-mine
Response:
Reference: Overview of enterprise application ownership - Microsoft Entra ID
- Implementing SSO for Azure AD B2C
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- "error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
- Azure AD client credentials generated token does not have claims (EDITED)
- Calling an ASP.NET Core Web API integrated to EntraId app from another .NET Core console app integrated to EntraId app fails
- Correlation failed in net.core / asp.net identity / openid connect
- Generating token for Fabric Rest api using client secret
- How do I display Job Title in my Next Auth app
- EntraId Authentication / Authorization via .NET & React
- Azure Function app down due to wrong routing template in http trigger binding of a functions
- How can I force trigger MFA, when logging into Azure?
- Azured AD JWT authentication doesn't work for Web API hosted in docker using TestContainer
- azp Claim Missing from Azure AD JWT
- Retrieve all Users from all Groups?
- Cannot get AAD auth token in Logic Apps
- Attempting to set DisableCustomAppAuthentication to false for Azure not working from Powershell
- Using Azure Entra Id I cant see `Office 365 Exchange Online` under `APIs my organization uses`
- New tenant b2clogin URL returns error with "removed or changed"
- Azure Entra ID tokens endpoint issues an expired token
- Azure AD B2C password expiration
- Trouble when creating PowerBI report via JavaScript Client Library
- Azure Active Directory Enterprise App OpenID and User Provisioning (SCIM)
- How to select specific app registration based on tenant ID in ASP.NET Core MVC with Microsoft Identity Platform?
- Airflow ERROR - Error authorizing OAuth access token: Invalid JSON Web Key Set. [The request to sign in was denied.]
- Systematic Way to Identify Through Azure UI Required "App Registration" API Permission
- How does Delegated OnlineMeetingRecording.Read.All work?
- How to enable SAML as authentication provider in MS Entra?
- Get domain\username from microsoft graph
- Unable to Add User to Resource Group: Authorization_RequestDenied Error
- Login with Microsoft External Account -Issue when the user cancels the consent prompt during authentication