Unable to create AD App ServicePrincipal

I’m unable to use the “create-sp-azure” container to create the AD App ServicePrincipal - we want to try our application out using Docker CE for Azure, rather than our current manual method of creating our Docker containers on Centos VMs within Azure.

I run the following command:

docker run -ti --rm=true docker4x/create-sp-azure docker-azure-sandpit-sg docker-azure-sandpit uksouth

with the following output:

info: Executing command login
|info: To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code XXXXXX to authenticate.
-info: Added subscription YYYY
info: Setting subscription “YYYY” as default
+
info: login command OK
The following subscriptions were retrieved from your Azure account

  1. XXXXX:XXXXX
    Please select the subscription option number to use for Docker swarm resources: 1
    Using subscription XXXXX
    info: Executing command account set
    info: Setting subscription to “XXXXX” with id “XXXXX”.
    info: Changes saved
    info: account set command OK
    Creating AD application docker-azure-sandpit-sg
    Created AD application, APP_ID=28d85964-aaff-4a71-9318-a93c9bbf36fb
    Creating AD App ServicePrincipal
    error: {“odata.error”:{“code”:“Request_ResourceNotFound”,“message”:{“lang”:“en”,“value”:“Resource ‘ServicePrincipal_ede3d1d0-74ae-4703-91f1-c42f9cde5bf3’ does not exist or one of its queried reference-property objects are not present.”}}}
    error: Error information has been recorded to /root/.azure/azure.err
    error: ad sp create command failed

Created ServicePrincipal ID=
Cannot create service principal or determine its object id.

What am I doing wrong?

The docs have resources for troubleshooting this and if you can’t get the script to work, you can create the service principal manually: https://docs.docker.com/docker-for-azure/#service-principal

Thanks.

Deleting the resource group, and starting the whole process again got me a little further, but know I’m hitting a permissions issue. Our Azure Administrator has assured me I’m a global administrator on our Azure account, but I’m still getting this error:

error: The client ‘richard.xxxxxx@xxxxx’ with object id ‘de9bb642-51e9-4f79-a6ad-1bbff50cea50’ does not have authorization to perform action ‘Microsoft.Authorization/roleAssignments/write’ over scope ‘/subscriptions/xxxxxxxxxxx/resourcegroups/docker-azure-sandpit/providers/Microsoft.Authorization/roleAssignments/dffaf9b0-5dda-43db-9a76-85a80dd56bde’.
error: Error information has been recorded to /root/.azure/azure.err
error: role assignment create command failed

Details from last failure:
2017-04-28T08:55:50.862Z:
{ Error: The client ‘richard.xxxxxx@xxxxx’ with object id ‘de9bb642-51e9-4f79-a6ad-1bbff50cea50’ does not have authorization to perform action ‘Microsoft.Authorization/roleAssignments/write’ over scope ‘/subscriptions/xxxxxxxxxxx/resourcegroups/docker-azure-sandpit/providers/Microsoft.Authorization/roleAssignments/dffaf9b0-5dda-43db-9a76-85a80dd56bde’.
<<< async stack >>>
at __1 (/usr/lib/node_modules/azure-cli/lib/commands/arm/role/role.assignment.js:152:55)
<<< raw stack >>>
at Function.ServiceClient._normalizeError (/usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/services/serviceclient.js:814:23)
at /usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/services/filters/errorhandlingfilter.js:44:29
at Request._callback (/usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/http/request-pipeline.js:109:14)
at Request.self.callback (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:187:22)
at emitTwo (events.js:106:13)
at Request.emit (events.js:191:7)
at Request. (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:1044:10)
at emitOne (events.js:101:20)
at Request.emit (events.js:188:7)
at IncomingMessage. (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:965:12)
stack: [Getter/Setter],
code: ‘AuthorizationFailed’,
statusCode: 403,
requestId: ‘083e95d0-74cf-489c-beb4-0c35295e4d9b’,
__frame:
{ name: ‘__1’,
line: 73,
file: ‘/usr/lib/node_modules/azure-cli/lib/commands/arm/role/role.assignment.js’,
prev: undefined,
calls: 1,
active: false,
offset: 79,
col: 54 },
rawStack: [Getter] }
Error: The client ‘richard.xxxxxx@xxxxx’ with object id ‘de9bb642-51e9-4f79-a6ad-1bbff50cea50’ does not have authorization to perform action ‘Microsoft.Authorization/roleAssignments/write’ over scope ‘/subscriptions/xxxxxx/resourcegroups/docker-azure-sandpit/providers/Microsoft.Authorization/roleAssignments/dffaf9b0-5dda-43db-9a76-85a80dd56bde’.
<<< async stack >>>
at __1 (/usr/lib/node_modules/azure-cli/lib/commands/arm/role/role.assignment.js:152:55)
<<< raw stack >>>
at Function.ServiceClient._normalizeError (/usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/services/serviceclient.js:814:23)
at /usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/services/filters/errorhandlingfilter.js:44:29
at Request._callback (/usr/lib/node_modules/azure-cli/node_modules/azure-common/lib/http/request-pipeline.js:109:14)
at Request.self.callback (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:187:22)
at emitTwo (events.js:106:13)
at Request.emit (events.js:191:7)
at Request. (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:1044:10)
at emitOne (events.js:101:20)
at Request.emit (events.js:188:7)
at IncomingMessage. (/usr/lib/node_modules/azure-cli/node_modules/request/request.js:965:12)

Although the page linked says “Proper Permissions”, it doesn’t say what these permissions should be.

Hi @richardatwork. This is most likely a permission issue with the user account you are using within the Azure subscription. Can you work with your Azure subscription admin to make sure your user has the “Microsoft Authorization” permission set to “All” rather than “Partial”? You can find this in the Azure portal by navigating through the following blades: Subscriptions -> [your subscription] Access Control (IAM) -> Permissions (preview) -> Microsoft Authorization. We have noticed that it is typically set to Partial even when you have Contributor privileges across the subscription.

Another alternative is for your Azure admin to run create-sp-azure in global mode (i.e. without specifying rg-name and rg-location) and provide you the resulting App ID and Secret. You can use these to instantiate the Docker4Azure template.

Hi

Thanks for your help, but we’re unable to find Permissions (preview) in the Azure Portal.

I’ve been using this script, which works:
# This script creates an Azure AD application.
# Before running this script you need to install the Azure RM cmdlets as an administrator.
# For this:
# 1) Run Powershell as an administrator
# 2) in the PowerShell window, type: Install-Module AzureRM.Resources

$ErrorActionPreference = 'Stop'

# Active Directory Tenant. This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps.
# Look it up in the Azure portal in the "Properties" of the Azure AD. 
$script:tenantId = '00000000-0abc-0000-abcd-ef0001111234' 

# Variables for the registration of the AAD application for the Web API Service
$script:serviceAadAppName = "exampleapp"
$script:serviceHomePage = "https://www.contoso.org/exampleapp"
$script:serviceAppIdIRI = "https://"+$script:tenantId+"/"+$serviceAadAppName


# Import required modules
Import-Module AzureRM.Resources

# Login to Azure PowerShell (interactive: you'll need to sign-in with creds enabling your to create apps in the tenant)
$creds = Login-AzureRmAccount -TenantId $script:tenantId


# Create the Azure Active Directory Application
# Note that if, at this point, you get an error: "New-AzureRmADApplication : Your Azure credentials have not been set up or have expired, please run Login-AzureRMAccount to set up your Azure credentials"
# then you will need to run Clear-AzureProfile (you might have an expired token)

$serviceApplication = New-AzureRmADApplication -DisplayName $script:serviceAadAppName -HomePage $script:serviceHomePage -IdentifierUris $script:serviceAppIdIRI

# Create the Service Principal and connect it to the Application
$servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $serviceApplication.ApplicationId$serviceApplication.ApplicationId

It’s possible then to add more stuff such as credentials as you did, either during the creation of the application, of afterwards (with Set-AzureRMADApplication)