How to grant a Service Principal read access to the Active Directory Groups?
Currently I am trying to read the ObjectId of an Active Directory Group from a GitHub Action where I am logged in with a Service Principal.
The Service Principal is a Contributor with the following additional permissions:
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/read"
when running the following command with the Azure CLI:
az ad group show -g {NAME OF GROUP}
I receive the following output:
ValidationError: Insufficient privileges to complete the operation.
Error: Error: az cli script failed.
I have tried granting permission to the service principal through the Microsoft Graph API through the following permissions:
Directory.Read.All (Granted)
Group.Read.All (Granted)
However these are not sufficient to grant read permissions.
Solution
Two ways to fix the issue(the sceond one is recommended):
- This command essentially calls the
Azure AD GraphnotMicrosoft Graph, so the permission of Microsoft Graph will not take effect, what you need here is the Application permission(not Delegated permission)Directory.Read.AllinAzure AD Graph.
- Another way is to give the Azure AD admin role to the service principal, e.g.
Directory Readers, this role's permission is less thanDirectory.Read.Allabove, and AAD Graph is a Supported legacy API, so the second way is recommended. After giving the role, wait for a while to take effect, then it will work fine.
- AADSTS900971: No reply address provided. on SPA with http://localhost as redirect_uri
- Why my valid MS access_token can't be parsed with jwt.ms?
- Dynamic OpenIdConnectOptions for multi-tenancy in Asp.net Core 2.1-*
- Azure AD auth token refresh request blocked in iframe
- "Use a tenant-specific endpoint or configure the application to be multi-tenant" when signing into my Azure website
- BrowserAuthError: interaction_in_progress: Interaction is currently in progress with azure/msal-browser@2.11.2
- AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '<AppId>'
- Microsoft Password Reset - Pass parameter that contains redirect URI for after reset
- How to get SAML Signing Certificate data using Microsoft graph api
- Azure AD error: The client has requested access to a resource which is not listed in the requested permissions in the client's application registratio
- Python microsoft graph API - /callback error
- Getting MsalServiceException: 'AADSTS501461 when trying to access a Web API from a console app using Msal
- Why is "Application permissions" disabled in Azure AD's "Request API permissions"?
- PySpark to Azure SQL Database connection issue
- Roles for a SPA and API setup in Microsoft Intra ID
- Getting a token from Microsoft Intra ID with PostMan using MFA
- I receive the error AADSTS50020 when authenticating in an azure app registration
- n8n Microsoft Graph OAuth2 login still fails after admin consent
- Get AD security groups in NGINX through OAuth2
- Where can I find my Azure Correlation Id and Request ID?
- management.azure.com/providers/Microsoft.Capacity/reservationOrders PassthroughTokenValidationFailed Error
- Should deleted application in Enterprise app be also deleted in App registration within Azure AD?
- PowerShell script intended to pull all users' emails belonging to a specific security group in AD is creating a blank CSV
- Custom claims for user from any tenant
- Twitter social login issue with Azure AD B2C - Forbidden
- Azure AD client credentials generated token does not have claims
- IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey
- Federated Credential to be used by Multiple Repositories - Github Actions
- How can I retrieve all users from Azure Active Directory
- How to add Company name as a field on a Sign up User Flow?