Azure - az aks cli azure ad error

I have two different Azure Ad tenants

First one is foo

Second one is bar

and one subscription

Name is baz

Account administrator seems as  foo at Management & Billing Overview service section. 

When I change directory into bar from portal i can see baz at  Other subscriptions from Cost Management & Billing. 

When I execute command below at bar's shell, I can see that owner of the subscription is foo

azure account show

When I execute command below I'm having error "directory permission is needed for the current user to register the application" 

az aks create --resource-group myResourceGroup --name myAKSCluster --node-count 1 --generate-ssh-keys

So I wanna take everything to foo create my Azure Kubernetes Service. What should I have to do.  Any ideas? 

1 answer

  • answered 2018-03-14 01:57 Jason Ye

    According to your error message, it seems your account doesn't have permissions in your second AAD tenant to create new application registrations.

    Please check your account's directory role in second Azure AD(Global admin).

    Also, if you can't set your account as Global admin, please check your AAD user settings -> App registrations, set to Yes , if set to Yes, non-admin users can register AD apps.


    Hope this helps.


    You can check AD role here(also your admin can change this settings):

    enter image description here