I am trying to follow to follow: Set up and manage access tokens for Teams users In Step 5, I running into the issue, exactly what the author foreseen, and the author also described the the solution for the issue in case it happens:
Issue what the author foreseen and described in Step 5:
If you run into the issue "The app is trying to access a service '1fd5118e-2576-4263-8130-9503064c837a'(Azure Communication Services) that your organization '{GUID}' lacks a service principal for....
Solution what the author described in Step 5 in the case if the issue above occurs: (note the guid is fixed, means it belongs to Azure Communication Services, so not mine, or custom)
PS> Connect-MgGraph -TenantId "my tenant guid" -Scopes Application.ReadWrite.All
PS> New-MgServicePrincipal -AppId "1fd5118e-2576-4263-8130-9503064c837a"
I am executing this proposed solution in my Azure Cloud Shell. The graph autentication is success, but New-MgServicePrincipal
gives 403 (Forbidden):
New-MgServicePrincipal_CreateExpanded: Insufficient privileges to complete the operation.
Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied Date: 2024-05-03T07:32:18
Headers: Cache-Control : no-cache Vary
: Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 7----8 client-request-id : b---4 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"North Europe","Slice":"E","Ring":"4","ScaleUnit":"009","RoleInstance":"D*3"}} x-ms-resource-unit : 1 Date : Fri, 03 May 2024 07:32:17 GM
Either the 403 Forbidden error message is misleading and something else is wrong, or in case I really has no sufficient privileges, then what it is?
Any idea, from this point it is really hopeless to googling (btw I tried it, but the max I can find, is the solution what the author was described)
I assigned owner role to the user like below:
Assigned Cloud Application Administrator role as Eligible:
Now when I tried to create the Service Principal, I got the same error as below:
Connect-MgGraph -Scopes Application.ReadWrite.All
New-MgServicePrincipal -AppId "AppID"
Hence to resolve the error, I assigned an Active Cloud Application Administrator role to the user:
Now I am able to create the Service Principal successfully:
Assign Global Administrator role to make the role changes or If still the issue persists, assign Application Developer role to the user as suggested by @user2250152
And only Application Administrator or Cloud Application Administrator or Application Developer role is required to create Service principal.