swift-hamburger-98290
12/22/2020, 4:45 PMinsufficient privileges
issue on Azure when trying to create/change an Azure Active Directory Application, deploying using pulumi's DevOps task. I have the following:
task: Pulumi@1
inputs:
azureSubscription: <azure-resource-manager>
...
env:
PULUMI_ACCESS_TOKEN: $(pulumi.access.token)
And on AAD I added the following API permissions
, with type Application (not Delegated):
Application.Read.All
Application.ReadWrite.All
Application.ReadWrite.OwnedBy
Directory.Read.All
Directory.ReadWrite.All
Error:
* updating urn:pulumi:test::<>::azuread:index/application:Application::<>: patching Application with ID "<id>": graphrbac.ApplicationsClient#Patch: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2020-12-22T15:28:11","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"<>"}}]
What I am missing?cool-fireman-90027
12/22/2020, 4:48 PMswift-hamburger-98290
12/22/2020, 4:53 PMpulumi up
just fine locally, and everything works. The problem is when I run it on the pipeline (Azure DevOps) with a service connection (azure resource manager), to which I gave the permissions I wrote on the original post.Azure Active Directory Graph
, which Azure marked as legacy but are still required for the time being apparently.