Creating an Azure app registration using Bicep : which privileges are needed?

Question

I'd like to create an app registration in a deployment script using Bicep. A user-assigned managed identity is used to run the deployment script. But the identity doesn't have the sufficient privileges to create the app registration. What role assignment should the identity have?

resource appRegistration 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
  name: name
  location: location
  tags: tags
  kind: 'AzureCLI'
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: { '${identity.id}': {} }
  }
  properties: {
    azCliVersion: '2.9.1'
    retentionInterval: 'P1D'
    arguments: name
    scriptContent: '''
      APPREGNAME=$1
      az login --identity
      clientid=$(az ad app create --display-name $APPREGNAME --query appId --output tsv)
      $DeploymentScriptOutputs['clientId'] = clientId
      '''
  }
}

Error:

DeploymentScriptError: Insufficient privileges to complete the operation.

This article is speaking about an Application Administrator role, but I can't find that role when I'm trying to add a role assignment to the identity in the Azure Portal.

Answer 1

Note that: I agree with @Thomas, to create Azure AD Application, the managed identity must have Application Administrator Role or Application.ReadWrite.All or Application.ReadWrite.OwnedBy application permissions based on your requirement.

To resolve the error "Insufficient privileges to complete the operation" check the below:

Assign Application Administrator Role to the managed identity:

Go to Azure Portal -> Microsoft Entra ID roles and administrators -> Select Application Administrator -> Add assignment -> Select members -> Search your managed identity -> Assign

Otherwise, try assigning Application.ReadWrite.All or Application.ReadWrite.OwnedBy API permissions to managed identity like below:

Connect-AzAccount

$DestinationTenantId = "TenantID"
$MsiName = "ruk" 
$oPermissions = @(
  "Application.ReadWrite.All"
  "Application.ReadWrite.OwnedBy"
  
)

$GraphAppId = "00000003-0000-0000-c000-000000000000" #Dont change this

$oMsi = Get-AzADServicePrincipal -Filter "displayName eq '$MsiName'"
$oGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'"

$oAppRole = $oGraphSpn.AppRole | Where-Object {($_.Value -in $oPermissions) -and ($_.AllowedMemberType -contains "Application")}

Connect-MgGraph -TenantId $DestinationTenantId

foreach($AppRole in $oAppRole)
{
  $oAppRoleAssignment = @{
    "PrincipalId" = $oMSI.Id
    "ResourceId" = $oGraphSpn.Id
    "AppRoleId" = $AppRole.Id
  }
  
  New-MgServicePrincipalAppRoleAssignment `
    -ServicePrincipalId $oAppRoleAssignment.PrincipalId `
    -BodyParameter $oAppRoleAssignment `
    -Verbose
}

The API permissions are granted successfully to the managed identity:

Now run the Bicep deployment script after assigning the role or the API permissions and now the Azure AD application will be created successfully.