Azure AD least-privilege permission for creating Service Principal from a multi-tenant application registration in another tenant

In this video, we look at what is the least-privilege permission, or Azure AD role, that an app identity needs to be able to create a Service Principal from a multi-tenant application registration in another Azure AD tenant.

By least-privilege we mean that we don’t want our app identity to have the Application Administrator or Cloud Application Administrator roles at the scope of the full directory and don't want it to be able to delete or update service principals.

An example scenario for this requirement is a Continuous Integration (CI) testing automation workload that needs to create Service Principals from another Azure AD tenant programmatically — but we don’t want this CI app identity to have full application admin access.

You can see the code snippets used in the video at https://github.com/arsenvlad/azure-ad-permission-create-service-principal-from-another-tenant

Video Walkthrough

Tip: Play the video full screen or on YouTube to see all of the details.

User consent in the browser

The video above describes how an application can programmatically create a service principal after an implicit consent. If it is a user (i.e., not application), that needs to create the service principal, the user can use can grant the required permissions via Azure AD consent page by visiting:

https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/authorize?client_id=MULTI-TENANT_APPLICATION_ID&response_type=code

User’s consent in the browser

Thank you!

Please leave feedback and questions below, on the YouTube video, or on Twitter https://twitter.com/ArsenVlad