I have the User Access Administrator role, so I can usually add users to a resource group through Access Control (IAM). However, today I encountered an issue where I can't select a user in the members section. I get the following errors:
Authorization_RequestDenied
Insufficient privileges to complete the operation. Blockquote
This error appears while using the graph.microsoft.com REST API.
/users?$filter=startsWith(displayName,%27john%27)%20OR%20startswith(givenName,%27john%27)%20OR%20startswith(surname,%27john%27)%20OR%20startsWith(mail,%27john%27)%20OR%20startsWith(userPrincipalName,%27john%27)&$top=100
/groups?$filter=securityEnabled%20eq%20true%20AND%20(startsWith(displayName,%27john%27)%20OR%20startsWith(mail,%27john%27))&$top=100
/servicePrincipals?$filter=startsWith(displayName,%27john%27)&$top=100
User Access Administrator role only gives you rights to operations in the Azure Resource Management API. You would be able to create any assignment through a CLI or directly through the API by using the unique user object IDs directly.
In the Portal however, it makes queries to Graph API. And for that, you need permissions in Entra ID (previously known as Azure AD). You'll need to be a Member or be assigned a directory role that grants user enumeration rights.
In some cases it is possible to enter a specific username in the Portal and have that work. This will work if your user does have access to read users but not enumerate them.