I am trying to execute some azure cli commands but it says "Insufficient privileges to complete the operation." , when I checked my permissions in the Azure portal, I found that I have sufficient privileges to perform that action and able to perform it through the portal. But not able to perform same operation through "az cli".
Here is the screenshot of list of role assigned roles for me on azure portal.
Insufficient privileges to complete the operation.
[core@bastionNode ~]$ az ad app create --display-name vcanfdiskapp --debug
cli.knack.cli: Command arguments: ['ad', 'app', 'create', '--display-name', 'vcanfdiskapp', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f695d62cea0>, <function OutputProducer.on_global_arguments at 0x7f695d170f28>, <function CLIQuery.on_global_arguments at 0x7f695cf0b510>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: role 0.008 17 61
cli.azure.cli.core: Total (1) 0.008 17 61
cli.azure.cli.core: Loaded 17 groups, 61 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : ad app create
cli.azure.cli.core: Command table: ad app create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f695bea3510>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/core/.azure/commands/2023-10-09.19-10-34.ad_app_create.1619.log'.
az_command_data_logger: command args: ad app create --display-name {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7f695ba261e0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7f695b9777b8>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7f695b9778c8>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f695d178048>, <function CLIQuery.handle_query_parameter at 0x7f695cf0b598>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7f695b977840>]
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/core/.azure/service_principal_entries.json', encrypt=False
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/core/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/core/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/11cd40ba-885a-4417-9555-204fc704fa00/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/11cd40ba-885a-4417-9555-204fc704fa00/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/11cd40ba-885a-4417-9555-204fc704fa00/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/11cd40ba-885a-4417-9555-204fc704fa00/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/11cd40ba-885a-4417-9555-204fc704fa00/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/11cd40ba-885a-4417-9555-204fc704fa00/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/11cd40ba-885a-4417-9555-204fc704fa00/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Region to be used: None
cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://graph.microsoft.com//.default',), kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: b31b33a6-c281-4e5d-b929-7b4173324690
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/applications?$filter=startswith%28displayName%2C%27vcanfdiskapp%27%29'
cli.azure.cli.core.util: Request method: 'GET'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util: 'User-Agent': 'python/3.6.8 (Linux-3.10.0-1062.1.1.el7.x86_64-x86_64-with-redhat-7.7-Maipo) AZURECLI/2.38.1 (RPM)'
cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util: 'Accept': '*/*'
cli.azure.cli.core.util: 'Connection': 'keep-alive'
cli.azure.cli.core.util: 'x-ms-client-request-id': '2e65e15a-54c5-4214-9864-f9f6e5c138e6'
cli.azure.cli.core.util: 'CommandName': 'ad app create'
cli.azure.cli.core.util: 'ParameterSetName': '--display-name --debug'
cli.azure.cli.core.util: 'Authorization': 'Bearer eyJ0eXAiOiJKV...'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: None
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "GET /v1.0/applications?$filter=startswith%28displayName%2C%27vcanfdiskapp%27%29 HTTP/1.1" 403 None
cli.azure.cli.core.util: Response status: 403
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util: 'Cache-Control': 'no-cache'
cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util: 'Content-Type': 'application/json'
cli.azure.cli.core.util: 'Content-Encoding': 'gzip'
cli.azure.cli.core.util: 'Vary': 'Accept-Encoding'
cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util: 'request-id': '1380e3c2-9ee9-4448-9fd2-2f92dba11242'
cli.azure.cli.core.util: 'client-request-id': '1380e3c2-9ee9-4448-9fd2-2f92dba11242'
cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"1","ScaleUnit":"003","RoleInstance":"CO1PEPF00004A9A"}}'
cli.azure.cli.core.util: 'x-ms-resource-unit': '2'
cli.azure.cli.core.util: 'Date': 'Mon, 09 Oct 2023 19:10:34 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2023-10-09T19:10:34","request-id":"1380e3c2-9ee9-4448-9fd2-2f92dba11242","client-request-id":"1380e3c2-9ee9-4448-9fd2-2f92dba11242"}}}
cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
cli.azure.cli.core.util: Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 53, in _send
body=body)
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/util.py", line 991, in send_raw_request
raise HTTPError(reason, r)
azure.cli.core.azclierror.HTTPError: Forbidden({"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2023-10-09T19:10:34","request-id":"1380e3c2-9ee9-4448-9fd2-2f92dba11242","client-request-id":"1380e3c2-9ee9-4448-9fd2-2f92dba11242"}}})
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
result = cmd_copy(params)
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
return self.handler(*args, **kwargs)
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
return op(**command_args)
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 617, in create_application
existing_apps = list_applications(cmd, client, display_name=display_name)
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 753, in list_applications
result = client.application_list(filter=' and '.join(sub_filters) if sub_filters else None)
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 86, in application_list
result = self._send("GET", "/applications" + _filter_to_query(filter))
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 55, in _send
raise GraphError(ex.response.json()['error']['message'], ex.response) from ex
azure.cli.command_modules.role._msgrpah._graph_client.GraphError: Insufficient privileges to complete the operation.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.6/site-packages/knack/cli.py", line 231, in invoke
cmd_result = self.invocation.execute(args)
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
raise ex
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 718, in _run_job
return cmd_copy.exception_handler(ex)
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/command_modules/role/commands.py", line 53, in graph_err_handler
raise CLIError(ex)
knack.util.CLIError: Insufficient privileges to complete the operation.
cli.azure.cli.core.azclierror: Insufficient privileges to complete the operation.
az_command_data_logger: Insufficient privileges to complete the operation.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f695bea3730>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 0.584 seconds (init: 0.181, invoke: 0.403)
cli.azure.cli.core.decorators: Suppress exception:
Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/__main__.py", line 60, in <module>
raise ex
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/__main__.py", line 53, in <module>
sys.exit(exit_code)
SystemExit: 1
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/decorators.py", line 79, in _wrapped_func
return func(*args, **kwargs)
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/telemetry.py", line 307, in set_custom_properties
actual_value = value() if hasattr(value, '__call__') else value
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/telemetry.py", line 183, in <lambda>
lambda: '{},{}'.format(locale.getdefaultlocale()[0], locale.getdefaultlocale()[1]))
File "/usr/lib64/python3.6/locale.py", line 562, in getdefaultlocale
return _parse_localename(localename)
File "/usr/lib64/python3.6/locale.py", line 490, in _parse_localename
raise ValueError('unknown locale: %s' % localename)
ValueError: unknown locale: UTF-8
telemetry.save: Save telemetry record of length 3058 in cache
telemetry.check: Returns Positive.
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/usr/bin/python3.6 /usr/lib64/az/lib/python3.6/site-packages/azure/cli/telemetry/__init__.py /home/core/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.
On the execution of below command. it should create an app registration successfully
[core@bastionNode ~]$ az --version
azure-cli 2.38.1 *
core 2.38.1 *
telemetry 1.0.6 *
Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1
Python location '/usr/bin/python3.6'
Extensions directory '/home/core/.azure/cliextensions'
Python (Linux) 3.6.8 (default, May 30 2023, 08:41:09)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
Legal docs and information: aka.ms/AzureCliLegal
You have 3 updates available. Consider updating your CLI installation with 'az upgrade'
Please let us know how we are doing: https://aka.ms/azureclihats
and let us know if you're interested in trying out our newest features: https://aka.ms/CLIUXstudy
[core@bastionNode ~]$
I am also trying to refer the az cli doc to create app registration, create a custom role and assign a custom role to it .
But could not find any doc related to above topics.
Describe the bug
I am trying to execute some azure cli commands but it says "Insufficient privileges to complete the operation." , when I checked my permissions in the Azure portal, I found that I have sufficient privileges to perform that action and able to perform it through the portal. But not able to perform same operation through "az cli".
Here is the screenshot of list of role assigned roles for me on azure portal.
Related command
az ad app create --display-name
Errors
Insufficient privileges to complete the operation.
Issue script & Debug output
Expected behavior
On the execution of below command. it should create an app registration successfully
Environment Summary
Additional context
I am also trying to refer the az cli doc to create app registration, create a custom role and assign a custom role to it .
But could not find any doc related to above topics.
This link is not active https://learn.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli, It shows "404 - Page not found" error.