App Registration

Krzysztof Raczka 0 Reputation points
2025-08-06T11:23:02.5766667+00:00

Hi

I have create App Registration than I given access to various resources on azure to this service principal,

When running

az role assignment list --assignee "{clientId}"

it returns me empty roles assigned to this app registration and it doesnt authorize access to the service

can you help ?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
{count} votes

2 answers

Sort by: Most helpful
  1. Manu Philip 20,461 Reputation points MVP Volunteer Moderator
    2025-08-06T11:48:35.9266667+00:00

    Hi Krzysztof Raczka

    I think, the Reader role is missing for reading the list

    Assign a Reader role to application at the scope of Subscription Level using the following command

    az role assignment create --assignee <APP_ID> --role "Reader" --scope /subscriptions/<SUBSCRIPTION_ID>  
    

    After that, check if the issues is resolved

    az role assignment list --assignee <Application-id or Object-Id of application>
    

    Hope this helps.


    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments No comments

  2. Praveen Chivarla 105 Reputation points Microsoft External Staff Moderator
    2025-08-19T06:59:12.9066667+00:00

    Hi Krzysztof Raczka,

    Thank you for posting your query on Microsoft Q&A.

    As per our understanding, you have created an App Registration and assigned access to various Azure resources for its service principal. However, when you check the roles assigned to the app registration, it shows no roles, and the app is not authorized to access the resources.

    This happens because Azure RBAC roles are assigned to the service principal, not the app registration itself. If the service principal does not exist or you are using the wrong ID (application object ID instead of service principal ID), you will see an empty roles list.

    In additional to Manu Philip, please check if the below information is helpful to fix the issue.

    Please refer to:

    Register a Microsoft Entra app and create a service principal

    Assign Azure roles using the Azure portal

    To fix this issue, please follow these steps:

    1. Check if the Service Principal exists
      • In Azure Portal, go to Azure Active Directory > Enterprise Applications.
        • Search for your app registration name. If not found, the service principal does not exist yet.
        1. Create the Service Principal if missing
          • Use Azure CLI to create it:

    az ad sp create --id <ApplicationId>

    1. Assign the required role to the Service Principal
      • Via Azure Portal: Go to the resource or subscription > Access control (IAM) > Add role assignment.
        • Select the role (e.g., Reader), choose User, group, or service principal, and select your app’s service principal.

    Azure CLI:
    az role assignment create --assignee <ServicePrincipalId> --role Reader --scope /subscriptions/<subscriptionId>

    1. Verify the role assignments

    Azure CLI: az role assignment list --assignee <ServicePrincipalId>

    Assigning roles to the correct service principal and verifying its existence will resolve the authorization issues.

    Please "Accept as Answer" if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.