I'm researching Azure and wanted to use a Service Principal when logging in through Azure CLI instead of authenticating through the web login method. I created a Service Principal with az ad sp create-for-rbac with the scope on the root of my subscription and role 'Owner'. I can succesfully login using the Service Principal but when I try to do az ad sp list, I get the error that I don't have enough privileges:
azure.graphrbac.models.graph_error.GraphErrorException: Insufficient privileges to complete the operation.
When I look at the Access control (IAM) tab in my subscription blade in the portal, I can see the Service Principal is Owner, and my own account is both Owner and Service administrator.
Is there a way to give the Service Principal exactly the same rights as my own account has?
Best Answer
Apparently giving an SP the 'Owner' role is not enough. You have the give it the 'Directory Readers' role. This is not possible using the Azure CLI or Portal though. You have to use the Azure AD Graph API, easiest way to do this is using https://graphexplorer.azurewebsites.net/.
Second caveat is, you can't use the graphexplorer site using your own Azure account (in my case I had a simple personal Azure setup with only myself as admin), but you have to create a user in your Azure AD. I gave it the Global Administrator role just to be sure, I'm not certain what the minimum role would be to be able to use the Graph API.
Now, the steps to add give the SP the Directory Readers role are a bit long to explain here, I found them here: https://lnx.azurewebsites.net/directory-roles-for-azure-ad-service-principal/
Not sure why this needs to be so convoluted and why this is not to be found in the documentation.