DevOps Azure CLI Task - Granting Admin Consent to App Registration throws error

Question

I'm hoping that someone can shed some light on this because I'm a little bit stuck.

....

I have an Azure CLI task in a DevOps Release Pipeline.

This is running using a Service Principal which is a member of the Application Administrators group.

When I run the following command ...

az ad app permission admin-consent --id $(Variables.SharePointAppRegAppId)

I get an error message:

ERROR: Forbidden({"message":"Forbidden","httpStatusCode":"Forbidden","xMsServerRequestId":null,"clientData":{"errorCode":"MsaUserWithNoAccessToTenant","localizedErrorDetails":null,"operationResults":null,"timeStampUtc":"AAAAA","clientRequestId":"BBBBB","internalTransactionId":"CCCCC","tenantId":null,"userObjectId":"DDDDD","exceptionType":"Exception"},"stackTrace":null})

I initially thought that it might be permissions based - that maybe it doesn't have sufficient permissions to perform this task, but according to this Microsoft article (https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal#prerequisites)

To grant tenant-wide admin consent, you need:

• An Azure AD user account with one of the following roles:
  • Global Administrator or Privileged Role Administrator, for granting consent for apps requesting any permission, for any API.
  • Cloud Application Administrator or Application Administrator, for granting consent for apps requesting any permission for any API, except Azure AD Graph or Microsoft Graph app roles (application permissions).
  • A custom directory role that includes the permission to grant permissions to applications, for the permissions required by the application.

Now - the error is otherwise saying "MsaUserWithNoAccessToTenant" but I'm already using this same Service Principal to actually create and deploy the entire environment using Pulumi - including creating and setting up new instances, and creating brand new AAD App registrations in the same tenant.

For reference - here is the YAML task definition

- task: AzureCLI@2
  displayName: 'Grant Admin Consent to AAD App Registration'
  inputs:
    azureSubscription: 'appreg-infra'
    scriptType: bash
    scriptLocation: inlineScript
    inlineScript: |
      az ad app permission admin-consent --id $(Variables.SharePointAppRegAppId)

Answer 1

I tried to reproduce the same in my environment and got below results:

I added DevOps service principal and one user account named Sri to Application Administrator Group like below:

In my case, I tried to grant admin consent to SharePoint permissions of below application via DevOps Azure CLI Task:

When I ran DevOps Azure CLI Task to grant admin consent, I got same error as you like below:

When I tried to run same commands by logging as service principal via CLI locally, I got same error like below:

az login --service-principal -u <spID> -p <clientsecret> --tenant <tenantID> --allow-no-subscriptions
az ad app permission admin-consent --id <SharePointAppID>

Response:

Note that, granting admin consent requires Azure AD user account with one of the Administrator roles.

To resolve the issue, you need to sign in with user account having admin privileges instead of service principal.

Now, I signed in with Azure AD user account Sri which is a member of Application Administrator group by running below CLI commands and got response like this:

az login -u <username> -p <password> --tenant <tenantID> --allow-no-subscriptions
az ad app permission admin-consent --id <SharePointAppID>

Response:

To confirm that, I checked the same in Portal where admin consent is granted successfully in the application like below: