I try to create a Azure AD Subscription via Azure CLI in Azure Pipeline with following command:
- task: AzureCLI@2
inputs:
azureSubscription: 'SubscriptionName'
scriptType: 'ps'
scriptLocation: 'inlineScript'
inlineScript: |
$appName = "myApp$(randomString)"
# Create the app registration and get the appId
$app = az ad app create --display-name $appName --query "appId" -o tsv
But after:
C:\Windows\system32\cmd.exe /D /S /C ""C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" account set --subscription XXXXXXX"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'D:\a\_temp\azureclitaskscriptXXXXX.ps1'"
I get following error: Insufficient privileges
The Pipeline has ARM privileges.
You are using Powershell [ps] as a Script type and running Azure CLI bash command which is causing this error, Use below YAML script with Script Type set to bash. And in your Azure Service Connection > Use Service Connection with Application Administrator or Global Administrator or Privileged Administrator role assigned at the Azure AD level. Refer below:-
My YAML script:-
scriptType is set to bash with azureSubscription with correct role assigned at Azure Ad level.
Output:-
My PowershellSid > Service connection in Azure DevOps below:-
The Service Principal used to create above Service connection in Azure DevOps has below Azure AD role assigned:-
Reference Azure Ad roles:-
Microsoft Entra built-in roles | Microsoft Learn