This is not strictly related to Pulumi (I think), but maybe someone can point me in the right direction. I'm trying to create a service principal (as part of a CI/CD pipeline) and this is run using a non-owner service principal (it has the Contributor and User Access Administrator roles assigned), but I'm getting a permission error. Any ideas?

azuread:index:Application (aks-app):

error: graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2020-06-03T11:41:37","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"97f0f1cd-7a27-4838-b226-534ce6003e08"}}]

You need the Application Administrator role on the non-owner service principal that is doing the CI/CD.

Thanks a lot. Unfortunately, this is getting confusing, so I'll have to do more reading. It seems that role isn't available for Applications, but only for Users. I'll have to clear up my confusion around this Service Principal concept before asking further questions.

I haven't tried to make any adjustments to a Service Principal as I am not doing CI/CD yet. You can give an application (service princpal) the permissions it needs.

Thanks, Dave. I've managed to get it working by adding permissions in that API permissions blade.