Azure Secrets Engine – “Error creating service principal” (Graph API 400 Bad Request) when trying to generate dynamic credential

Vault
,
1

Hi team,

I am currently facing an issue with the Azure Secrets Engine in Vault v1.12.2.
Whenever I try to read credentials from a role, Vault fails with a 500 and the following error:

Error reading azure/<mount-path>/creds/ro: Error making API request.

URL: GET http://<vault-address>:443/v1/azure/<mount-path>/creds/ro
Code: 500. Errors:

* error creating service principal: autorest#WithErrorUnlessStatusCode:
  POST https://graph.microsoft.com/v1.0/servicePrincipals failed with 400 Bad Request

(Attaching screenshot for clarity.)

I have configured the Azure secrets engine so that Vault can create service principals dynamically.
Below are the permissions and roles I have already assigned:

Azure RBAC

  • User Access Administrator role

  • Access granted to the Service Principal used by Vault

  • Role condition: Assume any role (highly privileged)

Microsoft Graph API Application Permissions

  • Application.ReadWrite.All

  • Group.ReadWrite.All

  • Directory.ReadWrite.All

Admin consent has also been granted for all of these.

However, Vault still fails with the 400 Bad Request when it tries to create a service principal.

image (10)
image (10)1465×218 46.1 KB

  • Vault version: 1.12.2

  • Azure secrets engine is mounted at a custom path

  • Using client_id / client_secret authentication, not MSI

What I am trying to achieve

Create Azure dynamic credentials using the azure/…/creds/<role> endpoint.

What I’ve already checked

  • Admin consent for Graph API permissions

  • Correct secret value used (not the secret ID)

  • SP has permissions to create App registrations

  • Valid tenant, subscription, client_id, client_secret in azure/config

  • Network access to Microsoft Graph is open

Request for Help

Has anyone experienced similar 400 Bad Request errors when Vault attempts to create a service principal?

  • Is there anything special required in Azure tenant configuration?

  • Does Vault SP need to be assigned an Azure AD Directory Role (like Application Administrator)?

  • Could this be related to conditional access / restrictions on app registrations?

  • Any additional debugging steps recommended?

Any guidance or similar experiences would be greatly appreciated.
Thanks in advance!