minimum permissions that are required for serviceprincipal account to enumerate user profile info
what permissions does the service principal need to enumerate user profile info i.e. department, email, etc..
I have the following assigned but get a permission error. if I assign user admin role to the app then it works. but I am uncomfortable adding that role to the app.
Solution
Note that: Connecting to Azure AD PowerShell module requires assigning of Directory Readers role (in your scenario) to the app registration along with API permissions too. Refer this blog by NoVestigeOfBeginning.
Without assigning roles I got error "Insufficient privileges to complete the operation":
To get the user profile information grant User.Read.All application API permission:
And add active assignment of Directory readers role to the application:
I am able to fetch user's profile based on your requirement successfully:
# Define your tenant ID, application ID, and certificate thumbprint
$tenantId = "TenantID"
$applicationId = "APPID"
$certThumbprint = "CertTumbPrint"
# Connect to Azure AD using the certificate
Connect-AzureAD -CertificateThumbprint $certThumbprint -ApplicationId $applicationId -TenantId $tenantId
# Define the company name to filter by
$companyName = "ruk"
$users = Get-AzureADUser -All $true | Where-Object {
$_.CompanyName -eq $companyName -and $_.JobTitle -ne $null
} | Select-Object DisplayName, JobTitle, Mail, Department
# Export the filtered users to a CSV file
$users
Otherwise, make use of Microsoft Graph PowerShell module as Azure AD PowerShell module will be deprecated:
- The below requires
User.Read.Allapplication type API permissions granted to the application. - There is no need add any other Microsoft Entra ID roles to make it work.
# Define your tenant ID, client ID, and certificate thumbprint
$tenantId = "TenantID"
$clientId = "ClientID"
$certThumbprint = "CertThumbprint"
$companyName = "ruk"
# Connect to Microsoft Graph using client credentials and certificate
Connect-MgGraph -ClientId $clientId -TenantId $tenantId -CertificateThumbprint $certThumbprint
# Retrieve users with filtering and selecting specific properties
$filteredUsers = Get-MgUser -Filter "companyName eq '$companyName' and jobTitle ne null" `
-Select "displayName,jobTitle,mail,department" `
-CountVariable CountVar `
-ConsistencyLevel Eventual
# Output the filtered users
$filteredUsers | Format-Table -Property displayName, jobTitle, mail, department -AutoSize
- You can also make use of invoke rest method as suggested by @wenbo.
Reference:
Use Microsoft Graph PowerShell authentication commands | Microsoft
UPDATE:
To get the results use Top operator:
# Define your tenant ID, client ID, and certificate thumbprint
$tenantId = "TenantID"
$clientId = "ClientID"
$certThumbprint = "CertThumbprint"
$companyName = "ruk"
$topResults = 500
# Connect to Microsoft Graph using client credentials and certificate
Connect-MgGraph -ClientId $clientId -TenantId $tenantId -CertificateThumbprint $certThumbprint
# Retrieve users with filtering, selecting specific properties, and limiting the number of results
$filteredUsers = Get-MgUser -Filter "companyName eq '$companyName' and jobTitle ne null" `
-Select "displayName,jobTitle,mail,department" `
-Top $topResults `
-CountVariable CountVar `
-ConsistencyLevel Eventual
# Output the filtered users
$filteredUsers | Format-Table -Property displayName, jobTitle, mail, department -AutoSize
- Generating token for Fabric Rest api using client secret
- Authenticate to SQL Server with Azure app service managed identity through group
- Why is my Azure AD token request returning HTTP 400 consent error for API permissions that have been granted?
- How to set Azure MSAL SSO for my Nextjs14 app using Approuter and next-auth
- Unable to Connect to Azure PostgreSQL Database via Point-to-Site VPN with Azure Active Directory on macOS
- How do I retrieve the service principal password after creation using the azure cli?
- Cannot create Azure B2C Tenant
- Accessing Graph API from multi tenant App Function via identity
- My Azure AD B2C User Flow is not returning a token on jwt.ms
- AADSTS65001: The user or administrator has not consented to use the application with ID <app-id>
- AccountEnabled user property from Azure AD returning null
- Azure B2C user flow without an email
- How to use Azure Data Factory to take Business Central data and put into Azure SQL DB?
- Triggering a PowerAutomate desktop flow, using apis, fails due to access issues
- Azure - should the creator of a resource have owner rights?
- Scope is not being added to Access Token returned from Azure Ad
- The required field 'nonce' is missing from the credential. Ensure that you have all the necessary parameters for the login request. [Azure Open ID]
- Exchanging azure AD token with Identity server token
- Website authenticating users against AAD: can the OpenId document be provided offline to the consuming website?
- how to limit code verification email Spaming in Azure B2C
- Custom Claims in a Multitenant Microsoft Entra App
- Get error "You do not have elevated access" when try to postpone MFA enforcement
- How to bulk create/import users in Azure AD so that all of them can have single sign on to my SF sandbox?
- How can I "Get Microsoft Teams Users" Using of Microsoft Graph API
- Azure AD Authentication 401 error "the audience is invalid" AddAzureADBearer .Net Core Web Api
- AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption
- How to get users info list from Azure AD app by calling Microsoft Graph API from ASP.NET Core Web API?
- Updating App Registration's Configured permission without overwritten existing values
- Missing Environment Variable 'BOT_ID' While Registering Microsfot Teams Bot App, while using Teams tool Kit template
- Error on integration with SSO Azure AD (BrowserAuthError: uninitialized_public_client_application)