1

I am using .Net Core App with hosting it on Azure Portal. Now at some place I need to use Get the detail of logged in User (Active Directory user) in the application. So for that I am using Microsoft Graph API. So to setup this permission I am using Get-AzureADServiceAppRoleAssignment command. It is working fine when I run this command with Global Administrator account access. But it throws error when I used it without Global Administrator account access. Error: Service_InternalServerError. as shown in below image. enter image description here

Anyone have an idea or suggestions how to get rid of this error, and Is there any way to run this script without Global Admin access?

Any help or suggestions will be highly appreciated ! Thanks

Community
  • 1
  • 1
prog1011
  • 3,425
  • 3
  • 30
  • 57
  • 1
    Creating those assignments definitely requires some administrator role. The internal server error is definitely not expected though :\ – juunas May 26 '20 at 09:34

2 Answers2

1

Assign the Cloud Application Administrator directory role to the affected user and try again.

AlfredoRevilla-MSFT
  • 3,171
  • 1
  • 12
  • 18
0

the problem here is you don't necessarily need global admin, but the application/user would need a role that has at least roleassignment permissions. so you could create a custom role at the subscription level that has role assignment permissions. you need "Microsoft.Authorization/roleAssignments/" and maybe "Microsoft.Management/managementGroups/read" "Microsoft.Authorization/roleDefinitions/"

However, I would like to point out that if an application has role assignment permissions, it can technically assign itself a global admin role.. so it doesn't add any extra real security.

alphaz18
  • 2,610
  • 1
  • 5
  • 5