I'm trying to deploy Azure resources using Bicep templates and Azure Pipelines. So far I managed to deploy a web app, but I'm struggling to register it in Azure AD.

There is a job in my pipeline which should create an app in Azure AD:

This job fails with the following error:

ERROR: Insufficient privileges to complete the operation.

I also tried to use az rest command like so and got similar error:

ERROR: Forbidden({"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2022-03-01T07:18:30","request-id":"903fcd87-ad15-4766-8f31-132185e2c97d","client-request-id":"903fcd87-ad15-4766-8f31-132185e2c97d"}}})

It's clear that the service connection used by the pipeline doesn't have some necessary permissions, but I cannot figure out which one.

The service connection has the Owner role. Here are API permissions of the service connection:

There is an

Any help would be appreciated!

CodePudding user response：

You should use the Microsoft Graph instead and select the appropriate permissions there.

Another option would be to let the bicep template of the web app add a system managed identity for you by using the SystemAssigned in the identity property:

 resource appService 'Microsoft.Web/sites@2020-06-01' = {
  name: webAppName
  location: location
  properties: {
    serverFarmId: appServicePlan.id
    siteConfig:{
      alwaysOn: true
    }
    httpsOnly: true  
    clientAffinityEnabled: false
  }
  identity: {
    type: 'SystemAssigned'
    }
}