So I am trying to build a Machine Learning pipeline on Azure DevOps. I followed this tutorial: https://www.azuredevopslabs.com/labs/vstsextend/aml/#author-praneet-singh-solanki
However, in Exercise 1- Step 3: Create or get workspace, I'm facing an error while authorising my Azure Subscription.
"Error: Insufficient privileges to complete the operation. Ensure that the user has permissions to create an Azure Active Directory Application."
Here is a snapshot of the problem. Also, my subscription is free tier as of now. Could that be a reason?
My subscription is free tier as of now. Could that be a reason?
No, you don't need worry about this. For free credit, we offered $200 free quota, and also the use will not be limited(just limit use depth only).
"Error: Insufficient privileges to complete the operation. Ensure that
the user has permissions to create an Azure Active Directory
Application."
This issue should caused by your incorrect role setting. Even you are owner of AAD or application, if you did not assign the role of Application administrator, you still will receive the error of permission not enough.
Please assign the role of your AD application to a Administrator permission. Go Azure Portal -> Azure Active directory-> Users, and then search your account which you will used in Azure Devops pipeline, and then follow the below setting to assign the role.
Then back to Azure Devops, refresh the Azure Subscription and Authorized again.
Related
I'm trying to connect my Azure DevOps Organization to my Azure AD Tenant. I'm the only user in both. I connect to both using my personal microsoft (#outlook.com) account. However, when I'm trying to link my DevOps orga to my Azure AD Tenant, Azure DevOps doesn't see me as a member of the Azure AD Tenant that I'm trying to connect to, even though I'm connected in Azure with the same Microsoft account that I use on Azure DevOps... I'm following the steps mentioned here.
Below pic shows the error message I'm getting while trying to connect my Azure DevOps orga to my Default Azure AD Tenant :
Here, you can see that I'm connected in my Azure AD Tenant with the same Microsoft account that in the previous picture :
Tried to do the same where only one member who is the only admin is present in the azure AD tenant.But could successfully connect to azure devops.
Please make sure you are connecting already existed AAD tenant and then creating connection. check if admin permissions are given .
I had these roles assigned .
I had guest user access same as member access
Could smoothly connect without any warnings to the same domain as that of azure ad.
I tried to reproduce the issue and so tried connect with the other tenant /directory and got the error similar to yours which is not your case as you mentioned you have same directory domain.
So in your case , please close all other tabs and signin to only the required tenant both in azure ad and also in azure devops.
Please check the access permissions for this organization, if the organization is denied access for external access.
See Access via Azure AD FAQs | Microsoft Docs which can guide to troubleshoot your error cause and it says to have co-admin or service admin permissions.
Also please take the points by #jessehouwing in the comments into consideration , if issue is still there :Create a new Global Admin user account in AAD,Add this user to the DevOps organisation and set as owner and give Project Collection Administrators permission,Remove that domain from the DevOps org and Re-add to the org and re-assign as the owner.
Else it might be some issue with the default directory permissions. You may contact and report a problem in https://developercommunity.
I'm trying to create a release pipeline on Azure DevOps but I got this error message when I select and authorize Azure subcription:
"Failed to create an app in Azure Active Directory. Error: Insufficient privileges to complete the operation. Ensure that the user has permissions to create an Azure Active Directory Application."
What specific permission do I need on Azure AD? Owner? or in a Azure DevOps?
Thanks
I can reproduce your problem on my side.
changing Users can register applications to Yes will fix this issue.
Go to azure portal->click Azure Active Direcotory->User settings
We currently have one DevOps repository, with a functional CI/CD pipeline. We have another website hosted on a different instance (and different region) on Azure. We are trying to use our existing repo to deploy to the other Azure instance, but it is giving is the following message:
Failed to query service connection API: 'https://management.azure.com/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d?api-version=2016-06-01'. Status Code: 'Forbidden', Response from server: '{"error":{"code":"AuthorizationFailed","message":"The client '2317de35-b2c2-4e32-a922-e0d076a429f5' with object id '2317de35-b2c2-4e32-a922-e0d076a429f5' does not have authorization to perform action 'Microsoft.Resources/subscriptions/read' over scope '/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d'."}}'
I have tried all of the recommended trouble-shooting, making sure that the user is in a Global Administrator role and what-not, but still not luck. The secondary Azure subscription that we are hoping to push our builds to is a trial account. I'm not sure if it being a trial account matters.
I came across the same error. It turns out that, as the error message states, the service principal didn't have Read permission over the subscription. So the solution was to go to Azure Portal, select the subscription, select IAM and assign the role Reader to my service principal. Full explanation on here:
https://clydedz.medium.com/connecting-azure-devops-with-azure-46a908e3048f
I have the same problem. There are one repository and two instances of the application on the Azure portal. For the first instance, the subscription Pay-As-You-Go is used, and there were no problems for it when creating the service connection and CI/CD settings. For the second instance, a free subscription is used and when trying to create a new service connection (Azure Resource Manager) I get the same error.
I tried to do it with the permissions of Owner and Contributor
UPD: I was helped by the re-creation of the application in the azure portal
https://learn.microsoft.com/en-ca/azure/active-directory/develop/howto-create-service-principal-portal
Another option would be to save without verification if the Service Principle will not require permissions at the Subscription level. Like for example providing access to a Keyvault.
Check if the service connection for the second instance is correctly added in project settings:
I was playing around to learn the feature and concept on Azure DevOps services.
And I created one Azure DevOps Organization using my MSA account and connected it to my Azure Active Directory (as I have a pay-as-you-go subscription using my MSA account).
I then disconnected it from Azure Active Directory so it (forced) logged me out of the Azure DevOps portal. I was thinking that I will disconnect and connect it back to AAD. But apparently that's not how it works... and I found out in a very rude way.
After that I was unable to login to the Azure DevOps service portal using my MSA ID. And here is the error page:
I was able to somehow get over the issue by creating a new org using the organization list link provided on the error page.
But now my question is, I do see my old DevOps Organization on Azure
DevOps Service portal which I am unable to access. Its sort of orphaned Org and just hanging there. Now how do I get rid of
it or delete it?
what is happening is that azure devops is not able to sync up with your AAD. The reason it is showing "not authorized error" is because it can't identify whether the same tenant is trying to connect(when you're logging in) to the project and the project is in the AAD parallely, so that is creating the miscommunication between your tenant, AAD and devops organisation.
Sign out, and then open your browser in a private session and sign in to your organization with your Azure AD, MSA or work credentials.
There are good instructions available here on changing the VSTS connection from one Azure AD to another: Change VSTS AD.
But what if you just want to remove the Azure AD integration, and just revert to using Microsoft Accounts?
I successfully performed all the steps in the instruction, up to the point of attaching a new target Azure AD. You'd think when the VSTS account was unlinked in Azure, it would no longer show up in VSTS.
But going to https://[AccountName].visualstudio.com/_admin/_home/settings still shows account being backed by the source directory.
Attempting to add a Microsoft Account based user at https://[AccountName].visualstudio.com/_user fails to find the account, presumably because it is looking the the Source Azure AD.
This is an important capability when transferring ownership of an account. Thanks for taking a look!
You can follow the steps here: Disconnect your Team Services account from Azure AD.
To stop using Azure AD and revert to using Microsoft accounts, you can
disconnect your Team Services account from its directory.
Here's what you'll need:
Microsoft accounts added to your Team Services account for all users.
Team Services account owner permissions for your Microsoft account.
Directory membership for your Microsoft account as an external user
and global administrator permissions. Azure AD members can't
disconnect Team Services accounts from directories.
With the help of Microsoft Premium Support, we did manage to get this worked out.
The problem was the Team Services was not disconnected from the associated Azure AD before it was unlinked. Then once it was unlinked, it appeared gone from Azure, leaving no way to disassociate Azure AD.
The documentation does show to first disconnect the VSTS account from Azure AD, and then “unlink” the account. Where I got into trouble was by using the new portal. It's pretty hard to even find the old portal anymore BTW).
The new portal has this nice handy unlink button, which is practically irresistible. If clicking it, then it declares success. There is nothing in the UI that prevents you from unlinking while still leaving the AD association. There is no option at all in the new UI portal, as far as I could find, to disconnect Team Services from Azure AD.
Once unlinked, the only fix is to relink, and then redo it all in the old portal as is indicated by the documentation.
This is much more difficult than it should be because it seems like something that should be simple to achieve through the web UI. These posts helped me, but I wanted to add my 2 cents:
In order to disconnect VSTS from AAD you need to be able to use the disconnect button on the configure tab in the old portal seen here. However, you can only use that button if you're the VSTS account owner and if your account is not sourced from the currently linked active directory (i.e. - a MS Account). But you can't make the VSTS account owner a MS account if you've used the portal's interface to add the MS Account to your AAD as an external user. This is because external users are added as Guest account type by default (rather than Member type). If you try to set the MS account as VSTS owner you get the "AAD guest users are not allowed to be collection owners" message seen here.
It's a chicken/egg thing which is made more difficult by the fact that the official documents for this process make no mention of the conflict you'll face. They read as if this should just work.
The answer is that (as of today) you can't do this without using Powershell or an AAD API to convert the MS Account from a "Guest" to a "Member" user type. There are a number or articles out there which walk through the older APIs to do this. Here is what I did with the latest PS:
First, log in to the directory you wish to unlink with an account which has permissions to modify members. Ideally an admin or owner.
Connect-AzureAD
Next, find the account you want to modify using this command:
Get-AzureADUser
Find the ObjectID of the user you want to convert from Guest to Member and then run this command:
Set-AzureADUser -ObjectId [ObjectID GUID Here] -UserType Member
This will convert the MS Account in the AAD you want to unlink to a 'member' type. In my situation I found that I had to remove the MS Account from VSTS and re-add it in order to trigger a refresh which allowed me to set it as account owner.
Now you just follow the documented steps:
set MS account as project owner. Save.
log in to old portal, go to configure tab, and disconnect
log back in everywhere to see the changes