azure-active-directorymicrosoft-graph-apigithub-actionsactive-directory-groupazure-service-principal

How to grant a Service Principal read access to the Active Directory Groups?


Currently I am trying to read the ObjectId of an Active Directory Group from a GitHub Action where I am logged in with a Service Principal.

The Service Principal is a Contributor with the following additional permissions:

"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/read"

when running the following command with the Azure CLI:

az ad group show -g {NAME OF GROUP}

I receive the following output:

ValidationError: Insufficient privileges to complete the operation.
Error: Error: az cli script failed.

I have tried granting permission to the service principal through the Microsoft Graph API through the following permissions:

Directory.Read.All (Granted)
Group.Read.All (Granted)

However these are not sufficient to grant read permissions.


Solution

  • Two ways to fix the issue(the sceond one is recommended):

    1. This command essentially calls the Azure AD Graph not Microsoft Graph, so the permission of Microsoft Graph will not take effect, what you need here is the Application permission(not Delegated permission) Directory.Read.All in Azure AD Graph.

    enter image description here

    enter image description here

    enter image description here

    1. Another way is to give the Azure AD admin role to the service principal, e.g. Directory Readers, this role's permission is less than Directory.Read.All above, and AAD Graph is a Supported legacy API, so the second way is recommended. After giving the role, wait for a while to take effect, then it will work fine.

    enter image description here

    enter image description here