question

Rene-2249 avatar image
0 Votes"
Rene-2249 asked ·

Question about service principal and AD security

A short explanation about situation: A company has an Azure tenant with Active directory integration. The AD is maintained by system administrators. An Azure dev/test subscription is created to deploy workloads by development engineers. The engineers have owner role on the subscription.

When creating certain workloads or Azure Devops service connections, service principals can be automatically created to allow to do certain tasks. For example pull an image from a Azure registry by workload X. This can be initiated using the interface of the portal or Azure devops.

The problem occurres when for for example a service connection in Azure Devops is being created by an owner of the subscription, but is not system administrator. The error reported that the user doesnt have the permission to setup the service principal.

In the case of this company, another department is involved which means days delay. Is it possible to setup a Azure subscription with AD integration where subscription owners, which are not system administrators, can create service principals?

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

RahulMetangale-9479 avatar image
0 Votes"
RahulMetangale-9479 answered ·

Hi @Rene-2249 ,

Unfortunately it is not possible for subscription owner to create applications within Azure AD. User belonging to Application Administrator role can create service principal. But then in this case user will have more access than they need.

Thanks,
Rahul Metangale


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.