7

I'm getting ERROR: Insufficient privileges to complete the operation. when running az ad app permission add

What permission do I need to grant my service principal for this to work?

I gave it the AppRoleAssignment.ReadWrite.All permission which says:

Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user.

enter image description here

Update: I also gave it Application.ReadWrite.All, but still getting the error.

Joe Eng
  • 1,072
  • 2
  • 15
  • 30

4 Answers4

9

I also gave it Application.ReadWrite.All, but still getting the error.

The Application.ReadWrite.All Application permission is enough. I suppose you gave the Application.ReadWrite.All permission in Microsoft Graph, it will not work. You need to use the Application.ReadWrite.All in Azure AD Graph, then it will work.

enter image description here

enter image description here

After giving the permission, wait for a while, run the command, it returns a warning, refresh the portal, you will find the API permission was added.

enter image description here

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • 1
    Brilliant answer! The screenshots make it so easy to follow. This just saved me a ton of time, thank you! I wish I could uptick you more. – Lee Richardson Jun 30 '20 at 13:47
  • @Joy-Wang Could you please explain why the permission on graph api wont work in this case? – Garima Jul 27 '20 at 13:16
  • 1
    @Garima It's because the az cli is using the old AD graph api. It hasn't been updated to use the new Graph API yet, afaik. – Joe Eng Feb 17 '21 at 19:30
8

Since the Microsoft graph API is not working with the Azure CLI AD App permissions and the Azure AD graph API is deprecated from 2020 April, this can be achieved by giving Application administrator permissions to the AD app.

From Azure AD go to Roles and administrator > Application administrator.

enter image description here

Then Add assignment, find your client app and add it to the application administrator.

enter image description here

ctienshi
  • 123
  • 1
  • 6
  • 3
    This is the right way for now. in GitHub, the developers are still working on the Issue. But this one has saved me a lot of research work. Thanks :) – neoinwonderland Nov 03 '21 at 09:52
2

az cli is getting updated to use MS Graph API according to: https://github.com/Azure/azure-cli/issues/12946#issuecomment-737196942

Presumably this update will occur before AAD Graph API is retired on 6/30/2022: https://github.com/azure-deprecation/dashboard/issues/178

Once az cli gets updated then Application.ReadWrite.All permission on MS Graph API should work.

Joe Eng
  • 1,072
  • 2
  • 15
  • 30
1

There is a deprecation warning for the Azure AD Graph API as below.

This application is using Azure AD Graph API, which is on a deprecation path. Starting June 30th, 2020 we will no longer add any new features to Azure AD Graph API. We strongly recommend that you upgrade your application to use Microsoft Graph API instead of Azure AD Graph API to access Azure Active Directory resources

Also it seems the Microsoft Graph API is not working even though the relevant permissions are not provided.

ctienshi
  • 123
  • 1
  • 6
  • This should be a comment instead of an answer. To your point, az cli appears to use the old Azure AD API. Not sure when/if they plan to update it to use the new Graph API. I try to use Powershell or the Graph API directly instead. The Graph API permissions should work in those cases. – Joe Eng Feb 07 '21 at 06:23