Closed Agazoth closed 2 years ago
Thanks for reporting. Your current service principal doesn't have sufficient permission. You need to grant permission to allow it access AAD Graph query directory object permission.
@dingmeng-xue yes, but that has been disabled in our tenant:
Microsoft Identity team had disabled AAD Graph on Portal. We provide a solution as workaround please reference https://github.com/Azure/azure-powershell/issues/16067
Thanks, @dingmeng-xue - any ETA on when the cmdlet is updated to support MSGraph?
I managed to solve the issue by using this REST API: https://docs.microsoft.com/en-us/rest/api/authorization/role-assignment-rest-sample
My understanding is your solution can grant the rbac permission to your SP. For the time being, some management cmdlets calls AAD graph internally besides AAD cmdlets. for instance, New-AzAksCluster and Get-AzKeyVault, New-AzRoleAssignment. If you hope SP can use those cmdlets, required API permission is still needed.
We plan to support MSGraph at the beginning of the next month. The preview version of Az.Resources is published https://www.powershellgallery.com/packages/Az.Resources/5.0.0-preview. One announcement will be published soon.
That is good news. Thanks again.
The permission I needed for New-AzRoleAssignment to work was: Directory.Read.All
The workaround in #16067 gave my service account delegated access, but it also gave me a link to the deprecated portal menu, and I was able to grant application access from there:
Description
Running New-AzRoleAssignment in the context of a ServicePrincipal targeting a resource group on a subscription the Service Principal has Owner rights on fails.
Steps to reproduce
Running the same command when connected with a user account with owner rights on the subscription does not produce this error.
Environment data
Tis error persists both on my dev box and in DevOps MS hosted pipelines ubuntulatest. Details here is from my dev box.
Module versions
Debug output
Error output