Vault Azure Secrets Engine - Service Principal Creation Fails (Graph API 400 Bad Request)

Vault
1

Hello Team,

I am facing an issue while generating dynamic credentials using the Vault Azure secrets engine. The request fails with a 500 error, and Vault is unable to create a service principal.

Command used: vault read azure/6fe37cb9-7f53/creds/ro

Error output: Error reading azure/6fe37cb9-7f53/creds/ro: Error making API request.

URL: GET /v1/azure/6fe37cb9-7f53/creds/ro
Code: 500

1 error occurred:
error creating service principal: autorest#WithErrorUnlessStatusCode:
POST https://graph.microsoft.com/v1.0/servicePrincipals failed with 400 Bad Request

Problem Summary: Vault internally calls the Microsoft Graph API to create a service principal, but that API call fails with a 400 Bad Request. Vault surfaces this as a 500 error. The failure consistently happens during the service principal creation step.

Environment Details: Vault version: 1.12.2
Azure subscription:
Secrets engine path: azure/6fe37cb9-7f53/
Deployment type: VM

Troubleshooting Done: I have already tried the following:

  • Verified Azure AD permissions on the Vault service principal: Application.ReadWrite.All
    Directory.ReadWrite.All

  • Confirmed Vault Azure configuration (tenant ID, client ID, client secret)

  • Verified that the service principal used by Vault can create applications and service principals

  • Verified there are no conditional access policies blocking the request

    Screenshot 2026-05-15 153520
    Screenshot 2026-05-15 1535201816×214 47.7 KB

    Validated that credentials and tenant values are correct

Observations: The failure originates from the following Graph API call: POST https://graph.microsoft.com/v1.0/servicePrincipals

Azure returns a 400 Bad Request without much detail in the response. The issue persists across environments, which suggests this could be related to permissions, request payload, or Azure AD restrictions.

Questions:

  1. Has anyone encountered this issue with Vault Azure secrets engine where service principal creation fails with 400 Bad Request?

  2. Are there additional permissions required beyond Application.ReadWrite.All and Directory.ReadWrite.All?

  3. Is there a way to capture the full response body from the Microsoft Graph API for better debugging?

  4. Could this be related to existing application/service principal conflicts, Azure AD restrictions, or changes in Microsoft Graph API behavior?

Any guidance or suggestions on how to debug or resolve this issue would be greatly appreciated.

2

Do you have an example of your vault secrets engine config? 400 I would think points to a misconfiguration causing the API request to fail.

This tutorial might help: