DevOps Azure CLI Task - Granting Admin Consent to App Registration throws error
I'm hoping that someone can shed some light on this because I'm a little bit stuck.
....
I have an Azure CLI task in a DevOps Release Pipeline.
This is running using a Service Principal which is a member of the Application Administrators group.
When I run the following command ...
az ad app permission admin-consent --id $(Variables.SharePointAppRegAppId)
I get an error message:
ERROR: Forbidden({"message":"Forbidden","httpStatusCode":"Forbidden","xMsServerRequestId":null,"clientData":{"errorCode":"MsaUserWithNoAccessToTenant","localizedErrorDetails":null,"operationResults":null,"timeStampUtc":"AAAAA","clientRequestId":"BBBBB","internalTransactionId":"CCCCC","tenantId":null,"userObjectId":"DDDDD","exceptionType":"Exception"},"stackTrace":null})
I initially thought that it might be permissions based - that maybe it doesn't have sufficient permissions to perform this task, but according to this Microsoft article (https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal#prerequisites)
To grant tenant-wide admin consent, you need:
- An Azure AD user account with one of the following roles:
- Global Administrator or Privileged Role Administrator, for granting consent for apps requesting any permission, for any API.
- Cloud Application Administrator or Application Administrator, for granting consent for apps requesting any permission for any API, except Azure AD Graph or Microsoft Graph app roles (application permissions).
- A custom directory role that includes the permission to grant permissions to applications, for the permissions required by the application.
Now - the error is otherwise saying "MsaUserWithNoAccessToTenant" but I'm already using this same Service Principal to actually create and deploy the entire environment using Pulumi - including creating and setting up new instances, and creating brand new AAD App registrations in the same tenant.
For reference - here is the YAML task definition
- task: AzureCLI@2
displayName: 'Grant Admin Consent to AAD App Registration'
inputs:
azureSubscription: 'appreg-infra'
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
az ad app permission admin-consent --id $(Variables.SharePointAppRegAppId)
I tried to reproduce the same in my environment and got below results:
I added DevOps service principal and one user account named Sri to Application Administrator Group like below:
In my case, I tried to grant admin consent to SharePoint permissions of below application via DevOps Azure CLI Task:
When I ran DevOps Azure CLI Task to grant admin consent, I got same error as you like below:
When I tried to run same commands by logging as service principal via CLI locally, I got same error like below:
az login --service-principal -u <spID> -p <clientsecret> --tenant <tenantID> --allow-no-subscriptions
az ad app permission admin-consent --id <SharePointAppID>
Response:
Note that, granting admin consent requires
Azure AD user accountwith one of the Administrator roles.
To resolve the issue, you need to sign in with user account having admin privileges instead of service principal.
Now, I signed in with Azure AD user account Sri which is a member of Application Administrator group by running below CLI commands and got response like this:
az login -u <username> -p <password> --tenant <tenantID> --allow-no-subscriptions
az ad app permission admin-consent --id <SharePointAppID>
Response:
To confirm that, I checked the same in Portal where admin consent is granted successfully in the application like below:
- Azure Pipeline: how to delete a variable inside Azure build pipeline
- Azure yaml trigger pipeline every 14 days on a Saturday
- How can I give a containerRegistry to a DevcontainersCi task in an Azure DevOps YAML Pipeline?
- How to assign organization-level permissions to create repositories across all projects in organization in Azure DevOps?
- Updating Node js on internal windows ADO build agent
- Authenticating using the Azure CLI is only supported as a User (not a Service Principal)
- DotNetCLI@2 pack seems to be ignoring configuration inputs
- Build a pipeline in AzureDevOps for Sql Server on prem to run sql scripts
- How to format Azure DevOps console Logs
- How to follow the entire wiki in Azure DevOps?
- Issue with Azure key vault and Azure storage account deployment
- Publishing external POM Package to Azure Artifacts Feed Error
- lionbridge-connector on Azure Artifacts gives Dependency Error
- How to allow an empty string for a runtime parameter?
- Azure - RBAC to Management Group
- Python (Dash) web app deployment on Azure with pipeline running too long with message Building wheel for pandas still running. How to optimize?
- No 'Import a pipeline' button in Azure DevOps
- ASP.NET Azure Web App Pipeline: No package found with specified pattern: D:\a\1\s\**\*.zip
- Error when creating a pipeline. "You don’t appear to have an active Azure subscription."
- ADO YAML Pipelines | How to get secret variable from a variable group based on the value of another variable
- Azure Devops - Get release definitions by agent pool ID
- Azure Pipelines using YAML for multiple environments (stages) with different variable values but no YAML duplication
- How to specify which version of nuget.exe to use with self-hosted agent in Azure DevOps?
- Login failed for user '<token-identified principal>' while authorizing to SQL Server via Service Principal from AAD group assigned
- Azure DevOps - JFrogNuget Error - Error occurred while executing task: Error: Command failed
- Access Azure DevOps Pipeline Artifacts from different organization
- Initiate Azure DevOps Release Pipeline from Logic App and Retrieve Environment Variable Output from the pipeline
- Is it necessary to switch from the Hosted XML to the Inheritance Process Model after a migration
- Why is Azure Pipelines installing the wrong .NET SDK version (according to global.json)
- Azure pipeline does't allow to git push throwing 'GenericContribute' permission is needed