Several Azure AD. New-MsolServicePrincipal : Access Denied

Question

I want to set my Azure Active Directory as an identity provider for SharePoint 2013 Foundation. I activated Azure trial from account that is a part of another infrastructure

Answer 1

When you connect to Azure AD PowerShell using Connect-MsolService, the username you use to sign in will define which directory you are working in. External users (users originally from one directory present in a second directory) cannot be used.

Say, for instance, you have user bob@contoso.com, in a directory which we'll identify by the verified domain name contoso.com. If bob@contoso.com uses the Azure portal to create a new directory (identified here by it's initial domain name fabrikam.onmicrosoft.com), the first user (and admin) will be an external user bob@contoso.com.

In order to connect to Azure AD PowerShell in the context of fabrikam.onmicrosoft.com, a new "native" user needs to be created in that directory. So, for instance, if admin@fabrikam.onmicrosoft.com is created as an admin in fabrikam.onmicrosoft.com, that new user account would be able to sign in to Azure AD PowerShell and create a new service principal.

Note: You can always confirm which directory you're working in by using Get-MsolCompanyInformation.