Question posted in 
I am looking to create an simple Azure Service Web App and deploy it inside Microsoft Azure. I have already spun up a CloudShell environment and created the web app with az webapp up --name <web-app-name>. However when I go to create a project, and in particular create a New Azure Service Connection for the project, I run into an error stating:
Failed to create an app in Microsoft Entra. Error: Insufficient
privileges to complete the operation in Microsoft Graph Ensure that
the user has permissions to create a Microsoft Entra Application.
I am following this section of the instructions of the Azure docs. I am using an individual pay-as-you-go Azure Plan subscription. Below is a screenshot of the page I run into the error:
As you can see from the image, I am trying to create a Azure Resource Manager with the Service Principal authentication method (chose this method arbitrarily).
How can I create this Service Connection?
2
Answers
To create a service connection, the user you use to log in to DevOps needs one of the following permissions in Azure
With this permission the user can create a service principal and assign it the permissions (e.g. contributor) it needs to create resources within your scope (e.g. resource group).
The key point here is that it’s not the service connection that you’re lacking the permissions to create, it is the service principal. Service connections are an Azure DevOps concept, service principals (aka app registrations) are an Microsoft Entra ID (formerly Azure AD) concept.
The relationship between service principals and App Registrations in Entra ID is a little murky, see this SO post for further reading.
From the MS documentation on creating a service principal (link: Register an application with Microsoft Entra ID and create a service principal), your account that you are using to log into Azure DevOps needs at least Cloud Application Administrator.
You need someone else within your Microsoft Entra ID tenant either to create the service principal for you (and you then add it manually in Azure DevOps), or grant you at least Cloud Application Administrator so you can create the service principal yourself.