I am trying to add a credential to a Service Principal (Azure AD application) using the following powershell script
connect-msolservice
$cer = New-ObjectSystem.Security.Cryptography.X509Certificates.X509Certificate
$cer.Import($location)
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert);
New-MsolServicePrincipalCredential -AppPrincipalId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -Type asymmetric -Value $credValue -Usage verify
However I am getting the following error: Access Denied. You do not have permissions to call this application.
I was not the owner of this application, but the actual owner had made me one of the owners.
For a different application, which I had created, the above code is running without a hitch. Am I missing something? Do I require any other Auth mechanism?
Only a global administrator of the tenant has the permissions to create or update service principals in that tenant.
What you want to do, as an owner of this application, to add a new credential is to update the Application Object via the Application Manifest.
There are instructions here about adding an X509 to your application object (in the section Configuring a X.509 public cert for your application): http://blogs.msdn.com/b/exchangedev/archive/2015/01/21/building-demon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow.aspx
You should have the permissions to access and update this part of your application if you were marked as an owner.
Note that the certificate here is a Global Cert, which can be used to authenticate in the context of any tenant, rather than a tenant specific cert on the service principal.
I hope this helps!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.