Currently I am trying to read the ObjectId of an Active Directory Group from a GitHub Action where I am logged in with a Service Principal.
The Service Principal is a Contributor with the following additional permissions:
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/read"
when running the following command with the Azure CLI:
az ad group show -g {NAME OF GROUP}
I receive the following output:
ValidationError: Insufficient privileges to complete the operation.
Error: Error: az cli script failed.
I have tried granting permission to the service principal through the Microsoft Graph API through the following permissions:
Directory.Read.All (Granted)
Group.Read.All (Granted)
However these are not sufficient to grant read permissions.
Two ways to fix the issue(the sceond one is recommended):
Azure AD Graph
not Microsoft Graph
, so the permission of Microsoft Graph will not take effect, what you need here is the Application permission(not Delegated permission) Directory.Read.All
in Azure AD Graph
.Directory Readers
, this role's permission is less than Directory.Read.All
above, and AAD Graph is a Supported legacy API, so the second way is recommended. After giving the role, wait for a while to take effect, then it will work fine.