Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

403 Insufficient Privileges error received when calling applications.updatePasswordCredentials

See original GitHub issue

I am trying to delete Service principle keys. I can achieve this with graph explorer sending a Patch command to the https://graph.windows.net/.../applications/.../passwordCredentials endpoint

When I call this, I see the keys for the Application updated to match those I passed into the patch command.

However when I send the same data using client.applications.updatePasswordCredentials in the SDK, I get a 403 error (see below for full details).

I have tried granting the Service Principal I am connecting with all AD and graph rights.

    at client.pipeline (/home/turbot/turbot/node_modules/azure-graph/lib/operations/applications.js:1306:19)
    at retryCallback (/home/turbot/turbot/node_modules/ms-rest/lib/filters/systemErrorRetryPolicyFilter.js:89:9)
    at retryCallback (/home/turbot/turbot/node_modules/ms-rest/lib/filters/exponentialRetryPolicyFilter.js:140:9)
    at handleRedirect (/home/turbot/turbot/node_modules/ms-rest/lib/filters/redirectFilter.js:39:9)
    at /home/turbot/turbot/node_modules/ms-rest-azure/lib/filters/rpRegistrationFilter.js:59:14
    at Request.defaultRequest [as _callback] (/home/turbot/turbot/node_modules/ms-rest/lib/requestPipeline.js:125:16)
    at Request.self.callback (/home/turbot/turbot/node_modules/request/request.js:186:22)
    at emitTwo (events.js:126:13)
    at Request.emit (events.js:214:7)
    at Request.<anonymous> (/home/turbot/turbot/node_modules/request/request.js:1163:10)
    at emitOne (events.js:121:20)
    at Request.emit (events.js:211:7)
    at IncomingMessage.<anonymous> (/home/turbot/turbot/node_modules/request/request.js:1085:12)
    at Object.onceWrapper (events.js:313:30)
    at emitNone (events.js:111:20)
    at IncomingMessage.emit (events.js:208:7)
    at endReadableNT (_stream_readable.js:1056:12)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)
    at process._tickDomainCallback (internal/process/next_tick.js:218:9)

[message]: undefined,
  statusCode: 403,
  request: 
   { rawResponse: false,
     queryString: {},
     url: 'https://graph.windows.net/0fae5fbb-c4cf-4d04-9e13-a1260e9fd8f8/applications/73e9c5af-d275-4ad7-b71f-becad04b7be9/passwordCredentials?api-version=1.6',
     method: 'PATCH',
     headers: 
      { 'Content-Type': 'application/json; charset=utf-8',
        'x-ms-client-request-id': '98091249-5f4f-4785-95f7-2e9d67fbb725',
        'accept-language': 'en-US',
        'user-agent': 'Node/v8.9.1 (x64-Linux-4.4.0-53-generic) ms-rest/2.2.7 ms-rest-azure/2.4.5 azure-graph/2.2.0 Azure-SDK-For-Node' },
     body: '{"value":[{"startDate":"2017-12-18T11:32:56.147Z","endDate":"2299-12-31T00:00:00.000Z","keyId":"30fbe2b4-bb76-4815-a5fa-0eaf98fae48e"}]}' },
  response: 
   { body: '{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}',
     headers: 
      { 'cache-control': 'no-cache',
        pragma: 'no-cache',
        'content-type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8',
        expires: '-1',
        server: 'Microsoft-IIS/8.5',
        'ocp-aad-diagnostics-server-name': 'iNQLRKPaViSNJPZgwTkFBErZ9++/HsuTPOY6L+sp4p4=',
        'request-id': '58ab05a5-aa02-4d83-92ab-ed4d3881af04',
        'client-request-id': '2f95e0e8-aa82-470b-ac2f-490821223488',
        'x-ms-dirapi-data-contract-version': '1.6',
        'ocp-aad-session-key': 'Dqu5YMU56a2Vd00HfElkiGGyaAgJUBJ4beMeiGxWwPog12zcc60p37_unyDNTvRKHJD6uhVzvRr-4pRs-hj3_M5QlLLoRvU3bZwhJIRAKcXopgK2F-d8qaIL6bOpHuI8.SNRXz1kBMRkftzh0u9D-6xtPQItn9Lom6toxEudXUQo',
        'x-content-type-options': 'nosniff',
        dataserviceversion: '3.0;',
        'strict-transport-security': 'max-age=31536000; includeSubDomains',
        'access-control-allow-origin': '*',
        'x-aspnet-version': '4.0.30319',
        'x-powered-by': 'ASP.NET, ASP.NET',
        duration: '2993198',
        date: 'Mon, 18 Dec 2017 12:23:18 GMT',
        connection: 'close',
        'content-length': '139' },
     statusCode: 403 },
  code: undefined,
  body: 
   { code: 'Authorization_RequestDenied',
     message: 'Insufficient privileges to complete the operation.' } }

Issue Analytics

State:
Created 6 years ago
Comments:13 (7 by maintainers)

Top GitHub Comments

1reaction

amarzaverycommented, Jan 2, 2018

@kaidaguerre - We were able to find out the problem.

For a service principal to be able to update password of another service principal, it needs to

be an owner of that service principal (Today, this happens only when you are logged in as a the primary service principal and created the other service principal )

have atleast 4 permissions from the Windows Azure Active Directory and one needs to grant permissions to that sp

I will go step by step.

Iteration 1

We created a service principal (testsp876), set 4 Application Permissions - saved the changes and then clicked on grant permissions (To grant permissions, you must be a global admin user in the tenant).
After that we logged in as that service principal (testsp876) and created another service principal(testsp2).
Then we tried to update the password credentials of that sp (testsp2) and were able to do that successfully.
We could also see testsp876 as the owner of testsp2 in the portal. However, there seems to be a bug in the portal or it may be by design (not sure). We were not able to manually add any other sp as the owner. It only allowed us adding users (humans) as owner of that sp.

Iteration 2.

We logged in as service principal (testsp876) and then tried to update the password credentials of service principal (foosp45). The only difference is that testsp876 did not create this sp (foosp45). Now we get the 403 insufficient privileges error.

So it looks like, only if SP A created SP B then SP A can update SP B’s credentials. In short it needs to be an owner.

Hope that helps.

0reactions

amarzaverycommented, Feb 28, 2018

Closing this issue based on the above comments.