I created an Azure DevOps Service Connection that uses an App Registration / SPN - master-app which has the following API Permissions (Graph - Application (Not Delegated) - Admin Consent Yes):
Application.ReadWrite.All
Application.ReadWrite.OwnedBy
Directory.ReadWrite.All
When I used the following command az ad app create --display-name mynewapp, it created mynewapp along with SPN associated with it. However, since 2 days the same command is creating the mynewapp but without the SPN.
Why has it stopped creating associated SPN now? It worked with the same ServiceConnection or directly az cli. I tried to do az account clear / az logout and re-login using Master-APP ClientID and SecretID but it still can't create the associated SPN!
Any idea what must have gone wrong?
I read somewhere that SPNs can only create App Regs without SPNs but if that is true, how did the pipeline create App Reg with SPN previously?
As
@VenkatVhas clarified, unlike manually creating an App registration on Azure Portal, the command 'az ad app create --display-name {appName}' just creates a confidential client application registration, and it does not automatically create a service principal for the new client application together.After executing the '
az ad app create' command, you also need to execute the command 'az ad sp create --id {clientId}' to create a service principal for the client application. At this time, we can consider the application registration process is completed.If just executing the '
az ad app create' command, can see the client application generated on the Azure Portal UI. However, if running the command 'az ad sp show --id {clientId}', it could return the error like as below.After using '
az ad sp create' command, the 'az ad sp show' command can successfully return the right information.For more details, you can see reference the documentation "Register a client application using CLI and REST API".