How to grant a Service Principal read access to the Active Directory Groups?
Question
Currently I am trying to read the ObjectId of an Active Directory Group from a GitHub Action where I am logged in with a Service Principal.
The Service Principal is a Contributor with the following additional permissions:
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/read"
when running the following command with the Azure CLI:
az ad group show -g {NAME OF GROUP}
I receive the following output:
ValidationError: Insufficient privileges to complete the operation.
Error: Error: az cli script failed.
I have tried granting permission to the service principal through the Microsoft Graph API through the following permissions:
Directory.Read.All (Granted)
Group.Read.All (Granted)
However these are not sufficient to grant read permissions.
1 answers
solution1
2 ACCPTED 2020-12-24 01:23:42
Two ways to fix the issue(the sceond one is recommended):
- This command essentially calls the
Azure AD GraphnotMicrosoft Graph, so the permission of Microsoft Graph will not take effect, what you need here is the Application permission (not Delegated permission )Directory.Read.AllinAzure AD Graph.
- Another way is to give the Azure AD admin role to the service principal, eg
Directory Readers, this role's permission is less thanDirectory.Read.Allabove, and AAD Graph is a Supported legacy API, so the second way is recommended. After giving the role, wait for a while to take effect, then it will work fine.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.