无法将凭据添加到Azure AD中的服务主体

Question

I am trying to add a credential to a Service Principal (Azure AD application) using the following powershell script

connect-msolservice
$cer = New-ObjectSystem.Security.Cryptography.X509Certificates.X509Certificate
$cer.Import($location)
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert);
New-MsolServicePrincipalCredential -AppPrincipalId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -Type asymmetric -Value $credValue -Usage verify

However I am getting the following error: Access Denied. You do not have permissions to call this application.

I was not the owner of this application, but the actual owner had made me one of the owners.
For a different application, which I had created, the above code is running without a hitch. Am I missing something? Do I require any other Auth mechanism?

Answer 1

Only a global administrator of the tenant has the permissions to create or update service principals in that tenant.

What you want to do, as an owner of this application, to add a new credential is to update the Application Object via the Application Manifest.

There are instructions here about adding an X509 to your application object (in the section Configuring a X.509 public cert for your application): http://blogs.msdn.com/b/exchangedev/archive/2015/01/21/building-demon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow.aspx

You should have the permissions to access and update this part of your application if you were marked as an owner.

Note that the certificate here is a Global Cert, which can be used to authenticate in the context of any tenant, rather than a tenant specific cert on the service principal.

I hope this helps!