I am running into an

insufficient privileges

issue on Azure when trying to create/change an Azure Active Directory Application, deploying using pulumi's DevOps task. I have the following:

task: Pulumi@1
inputs:
  azureSubscription: <azure-resource-manager>
  ... 
env:
  PULUMI_ACCESS_TOKEN: $(pulumi.access.token)

And on AAD I added the following

API permissions

, with type Application (not Delegated):

Application.Read.All
Application.ReadWrite.All
Application.ReadWrite.OwnedBy
Directory.Read.All
Directory.ReadWrite.All

Error:

* updating urn:pulumi:test::<>::azuread:index/application:Application::<>: patching Application with ID "<id>": graphrbac.ApplicationsClient#Patch: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2020-12-22T15:28:11","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"<>"}}]

What I am missing?

Does this help: https://stackoverflow.com/questions/58104257/failed-to-create-an-app-in-azure-active-directory-insufficient-privileges

Hmm I don't think so. I can do

pulumi up

just fine locally, and everything works. The problem is when I run it on the pipeline (Azure DevOps) with a service connection (azure resource manager), to which I gave the permissions I wrote on the original post.