--- title: "Troubleshoot the Anyscale service principal" description: "Diagnose Microsoft Entra service principal problems that block Anyscale on Azure cloud registration." --- # Troubleshoot the Anyscale service principal Anyscale on Azure requires a service principal of the Anyscale Entra application (app ID `086bc555-6989-4362-ba30-fded273e432b`) in your tenant. The quickstart creates this principal once per tenant in [Step 0a](https://learn.microsoft.com/azure/anyscale-on-azure/quickstart-azure-cli-gateway-envoy#0a-create-the-anyscale-service-principal). This page covers what to do when that step fails or the principal exists but authentication still fails. For background on what the service principal is and how Anyscale uses it, see [Service principal for cloud registration](https://learn.microsoft.com/azure/anyscale-on-azure/identity-access#service-principal-for-cloud-registration). ## You don't have permission to create the service principal `az ad sp create --id 086bc555-6989-4362-ba30-fded273e432b` fails when the signed-in user lacks an Entra directory role that permits creating service principals from external tenants. Check your current identity and the directory roles assigned to you. The first command confirms which account and tenant you're signed in to. The second lists the Entra directory roles assigned to your account. ```bash az account show --query '{user:user.name, tenantId:tenantId, subscription:name}' -o json ``` ```bash az rest --method GET \ --url "https://graph.microsoft.com/v1.0/me/memberOf?\$select=displayName,id" \ --query "value[?'@odata.type'=='#microsoft.graph.directoryRole'].displayName" -o json ``` To create a service principal from an external tenant, you must hold one of the following Entra directory roles: - Global Administrator - Application Administrator - Cloud Application Administrator - Application Developer If the second command returns an empty array (`[]`), none of these roles are assigned to you. Ask a **Privileged Role Administrator** or **Global Administrator** in your tenant to assign Application Administrator or Cloud Application Administrator. For the role assignment procedure, see [Assign Microsoft Entra roles to users](https://learn.microsoft.com/entra/identity/role-based-access-control/manage-roles-portal). ## The service principal exists but Anyscale can't authenticate If `az ad sp show --id 086bc555-6989-4362-ba30-fded273e432b` returns a service principal but Anyscale cloud registration still fails on token verification, the most common cause is a tenant mismatch between the service principal and the AKS cluster. The service principal must live in the same Entra tenant that owns the AKS cluster you're registering. Confirm the active tenant before creating, deleting, or inspecting the service principal: ```bash az account show ``` If the active tenant doesn't match the tenant that owns the AKS cluster, switch context with `az account set --subscription ` and re-create the service principal in the correct tenant. The Anyscale operator validates JWTs from Entra ID using the tenant ID and principal ID together, so a mismatch causes authentication failures during cloud registration. ## Related Azure docs - [Identity and access](https://learn.microsoft.com/azure/anyscale-on-azure/identity-access) covers the service principal, managed identities, and built-in role model end to end. - [Azure role requirements for setup](https://learn.microsoft.com/azure/anyscale-on-azure/identity-access#azure-role-requirements-for-setup) lists the Azure RBAC roles the quickstart runner needs in addition to the Entra directory role for service principal creation. - [Microsoft Entra built-in roles](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference) is the canonical reference for directory roles such as Application Administrator and Cloud Application Administrator. --- Previous: [Overview](/kb/azure.md) | Next: [Troubleshoot Anyscale on Azure cloud creation](/kb/azure/troubleshoot-cloud-creation.md)