Troubleshoot the Anyscale service principal
Troubleshoot the Anyscale service principal
Anyscale on Azure requires a service principal of the Anyscale Entra application (app ID 086bc555-6989-4362-ba30-fded273e432b) in your tenant. The quickstart creates this principal once per tenant in Step 0a. This page covers what to do when that step fails or the principal exists but authentication still fails.
For background on what the service principal is and how Anyscale uses it, see Service principal for cloud registration.
You don't have permission to create the service principal
az ad sp create --id 086bc555-6989-4362-ba30-fded273e432b fails when the signed-in user lacks an Entra directory role that permits creating service principals from external tenants.
Check your current identity and the directory roles assigned to you. The first command confirms which account and tenant you're signed in to. The second lists the Entra directory roles assigned to your account.
az account show --query '{user:user.name, tenantId:tenantId, subscription:name}' -o json
az rest --method GET \
--url "https://graph.microsoft.com/v1.0/me/memberOf?\$select=displayName,id" \
--query "value[?'@odata.type'=='#microsoft.graph.directoryRole'].displayName" -o json
To create a service principal from an external tenant, you must hold one of the following Entra directory roles:
- Global Administrator
- Application Administrator
- Cloud Application Administrator
- Application Developer
If the second command returns an empty array ([]), none of these roles are assigned to you. Ask a Privileged Role Administrator or Global Administrator in your tenant to assign Application Administrator or Cloud Application Administrator. For the role assignment procedure, see Assign Microsoft Entra roles to users.
The service principal exists but Anyscale can't authenticate
If az ad sp show --id 086bc555-6989-4362-ba30-fded273e432b returns a service principal but Anyscale cloud registration still fails on token verification, the most common cause is a tenant mismatch between the service principal and the AKS cluster.
The service principal must live in the same Entra tenant that owns the AKS cluster you're registering. Confirm the active tenant before creating, deleting, or inspecting the service principal:
az account show
If the active tenant doesn't match the tenant that owns the AKS cluster, switch context with az account set --subscription <subscription-id> and re-create the service principal in the correct tenant. The Anyscale operator validates JWTs from Entra ID using the tenant ID and principal ID together, so a mismatch causes authentication failures during cloud registration.
Related Azure docs
- Identity and access covers the service principal, managed identities, and built-in role model end to end.
- Azure role requirements for setup lists the Azure RBAC roles the quickstart runner needs in addition to the Entra directory role for service principal creation.
- Microsoft Entra built-in roles is the canonical reference for directory roles such as Application Administrator and Cloud Application Administrator.