
Azure Communication Service - "The app is trying to access a service '1fd5118e-2576-4263-8130-9503064c837a" error., then known solution does not work

I am trying to follow to follow: Set up and manage access tokens for Teams users In Step 5, I running into the issue, exactly what the author foreseen, and the author also described the the solution for the issue in case it happens:

Issue what the author foreseen and described in Step 5:

If you run into the issue "The app is trying to access a service '1fd5118e-2576-4263-8130-9503064c837a'(Azure Communication Services) that your organization '{GUID}' lacks a service principal for....

Solution what the author described in Step 5 in the case if the issue above occurs: (note the guid is fixed, means it belongs to Azure Communication Services, so not mine, or custom)

PS> Connect-MgGraph -TenantId "my tenant guid" -Scopes Application.ReadWrite.All
PS> New-MgServicePrincipal -AppId "1fd5118e-2576-4263-8130-9503064c837a"

I am executing this proposed solution in my Azure Cloud Shell. The graph autentication is success, but New-MgServicePrincipal gives 403 (Forbidden):

New-MgServicePrincipal_CreateExpanded: Insufficient privileges to complete the operation.

Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied Date: 2024-05-03T07:32:18

Headers: Cache-Control : no-cache Vary
: Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 7----8 client-request-id : b---4 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"North Europe","Slice":"E","Ring":"4","ScaleUnit":"009","RoleInstance":"D*3"}} x-ms-resource-unit : 1 Date : Fri, 03 May 2024 07:32:17 GM

Either the 403 Forbidden error message is misleading and something else is wrong, or in case I really has no sufficient privileges, then what it is?

Any idea, from this point it is really hopeless to googling (btw I tried it, but the max I can find, is the solution what the author was described)


  • I assigned owner role to the user like below:

    enter image description here

    Assigned Cloud Application Administrator role as Eligible:

    enter image description here

    Now when I tried to create the Service Principal, I got the same error as below:

    Connect-MgGraph -Scopes Application.ReadWrite.All
    New-MgServicePrincipal -AppId "AppID"

    enter image description here

    Hence to resolve the error, I assigned an Active Cloud Application Administrator role to the user:

    enter image description here

    enter image description here

    Now I am able to create the Service Principal successfully:

    enter image description here

    Assign Global Administrator role to make the role changes or If still the issue persists, assign Application Developer role to the user as suggested by @user2250152

    And only Application Administrator or Cloud Application Administrator or Application Developer role is required to create Service principal.