minimum permissions that are required for serviceprincipal account to enumerate user profile info
what permissions does the service principal need to enumerate user profile info i.e. department, email, etc..
I have the following assigned but get a permission error. if I assign user admin role to the app then it works. but I am uncomfortable adding that role to the app.
Solution
Note that: Connecting to Azure AD PowerShell module requires assigning of Directory Readers role (in your scenario) to the app registration along with API permissions too. Refer this blog by NoVestigeOfBeginning.
Without assigning roles I got error "Insufficient privileges to complete the operation":
To get the user profile information grant User.Read.All application API permission:
And add active assignment of Directory readers role to the application:
I am able to fetch user's profile based on your requirement successfully:
# Define your tenant ID, application ID, and certificate thumbprint
$tenantId = "TenantID"
$applicationId = "APPID"
$certThumbprint = "CertTumbPrint"
# Connect to Azure AD using the certificate
Connect-AzureAD -CertificateThumbprint $certThumbprint -ApplicationId $applicationId -TenantId $tenantId
# Define the company name to filter by
$companyName = "ruk"
$users = Get-AzureADUser -All $true | Where-Object {
$_.CompanyName -eq $companyName -and $_.JobTitle -ne $null
} | Select-Object DisplayName, JobTitle, Mail, Department
# Export the filtered users to a CSV file
$users
Otherwise, make use of Microsoft Graph PowerShell module as Azure AD PowerShell module will be deprecated:
- The below requires
User.Read.Allapplication type API permissions granted to the application. - There is no need add any other Microsoft Entra ID roles to make it work.
# Define your tenant ID, client ID, and certificate thumbprint
$tenantId = "TenantID"
$clientId = "ClientID"
$certThumbprint = "CertThumbprint"
$companyName = "ruk"
# Connect to Microsoft Graph using client credentials and certificate
Connect-MgGraph -ClientId $clientId -TenantId $tenantId -CertificateThumbprint $certThumbprint
# Retrieve users with filtering and selecting specific properties
$filteredUsers = Get-MgUser -Filter "companyName eq '$companyName' and jobTitle ne null" `
-Select "displayName,jobTitle,mail,department" `
-CountVariable CountVar `
-ConsistencyLevel Eventual
# Output the filtered users
$filteredUsers | Format-Table -Property displayName, jobTitle, mail, department -AutoSize
- You can also make use of invoke rest method as suggested by @wenbo.
Reference:
Use Microsoft Graph PowerShell authentication commands | Microsoft
UPDATE:
To get the results use Top operator:
# Define your tenant ID, client ID, and certificate thumbprint
$tenantId = "TenantID"
$clientId = "ClientID"
$certThumbprint = "CertThumbprint"
$companyName = "ruk"
$topResults = 500
# Connect to Microsoft Graph using client credentials and certificate
Connect-MgGraph -ClientId $clientId -TenantId $tenantId -CertificateThumbprint $certThumbprint
# Retrieve users with filtering, selecting specific properties, and limiting the number of results
$filteredUsers = Get-MgUser -Filter "companyName eq '$companyName' and jobTitle ne null" `
-Select "displayName,jobTitle,mail,department" `
-Top $topResults `
-CountVariable CountVar `
-ConsistencyLevel Eventual
# Output the filtered users
$filteredUsers | Format-Table -Property displayName, jobTitle, mail, department -AutoSize
- HTTP request to update Service Principal Entra
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- Azure AD B2C Password Reset
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- Programmatically Assign Exchange Roles to a Group in Azure AD using Microsoft Graph API
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Signature validation of my Azure access-token, Private-key?
- Entra ID OIDC Failed Auth Attempt Logs
- REST API service when called from azure APIM returning empty response body with Status code 200
- How to register your Azure resource as an Application in Azure Active Directory?
- Is it possible to add multiple audiences to AAD bearer token?
- Non-interactive way to authenticate to Azure AD using AADInternals?
- I am trying to update an existing user i made through graph api in my code, but i get a 403 error back from azure graph api
- Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD
- Getting a token from Microsoft Intra ID with PostMan using MFA
- MSAL for non-SPA? Server side authentication?
- Error 403 User not authorized when trying to access Azure Databricks API through Active Directory
- Add Azure Active Directory User to Azure SQL Database
- How to use stored procedure parameters as dynamic content in copy activity using ADF
- Azure AD B2C error AADB2C90057 when I am NOT trying to use the implicit flow
- “That Microsoft account doesn’t exist” for Microsoft logins on Auth0
- You don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action'
- .Net Core - Use AzureAD/EntraID Authentication to Access Azure DevOps REST APIs
- Issue with Azure Automation Account and Key Vault Certificate Retrieval
- OpenAI remove key access while using AAD authentication
- Azure Tenant setup for .NET Blazor WASM calling Web API + Microsoft Graph
- Add tenant specific roles in Azure AD multitenant app
- Allow App Service to be called by just a test user and another App Service using a system assigned managed identity
- How to automatically refresh access token
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com