Insufficient privileges using Azure CLI over Pipeline

Question

I try to create a Azure AD Subscription via Azure CLI in Azure Pipeline with following command:

        - task: AzureCLI@2
          inputs:
            azureSubscription: 'SubscriptionName'
            scriptType: 'ps'
            scriptLocation: 'inlineScript'
            inlineScript: |
              $appName = "myApp$(randomString)"
              # Create the app registration and get the appId
              $app = az ad app create --display-name $appName --query "appId" -o tsv

But after:

C:\Windows\system32\cmd.exe /D /S /C ""C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" account set --subscription XXXXXXX"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'D:\a\_temp\azureclitaskscriptXXXXX.ps1'"

I get following error: Insufficient privileges

The Pipeline has ARM privileges.

Pipeline Output

YML File

Answer 1

You are using Powershell [ps] as a Script type and running Azure CLI bash command which is causing this error, Use below YAML script with Script Type set to bash. And in your Azure Service Connection > Use Service Connection with Application Administrator or Global Administrator or Privileged Administrator role assigned at the Azure AD level. Refer below:-

My YAML script:-

trigger:
- main

pool:
  vmImage: ubuntu-latest

steps:
- task: AzureCLI@2
  inputs:
    azureSubscription: 'PowershellSid'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: 'az ad app create --display-name appName --query "appId" -o tsv'

scriptType is set to bash with azureSubscription with correct role assigned at Azure Ad level.

Output:-

My PowershellSid > Service connection in Azure DevOps below:-

The Service Principal used to create above Service connection in Azure DevOps has below Azure AD role assigned:-

Reference Azure Ad roles:-

Microsoft Entra built-in roles | Microsoft Learn