1

az ad app permission add needs Azure Active Directory Graph - Application.ReadWrite.All: az ad app permission add - Insufficient privileges to complete the operation

However, Azure AD Graph API is being deprecated. Will az ad at some point be updated to use Microsoft Graph API instead?

Joe Eng
  • 1,072
  • 2
  • 15
  • 30

3 Answers3

2

az ad manage Azure Active Directory Graph entities needed for Role Based Access Control. And it is still using AD Graph API but not the new Microsoft Graph API. You could feedback to UserVoice.

You could call Microsoft Graph API with az rest in Azure CLI, see here.

Since Microsoft Graph Service Principal API is GA, we recommend using az rest instead of az ad for the time being until we fully migrate az ad to Microsoft Graph.

unknown
  • 6,778
  • 1
  • 5
  • 14
1

According to this comment from a member of the Azure cli team, they plan to migrate az ad to MS Graph: https://github.com/Azure/azure-cli/issues/12946#issuecomment-737196942

Azure CLI team is currently working on the ADAL -> MSAL migration. We will start the planning and implementation of Active Directory Graph -> Microsoft Graph migration once the previously task is done. + @achandmsft

Joe Eng
  • 1,072
  • 2
  • 15
  • 30
  • According to the latest comment it seems that the team has started working on this but it will take some time: https://github.com/Azure/azure-cli/issues/12946#issuecomment-954742775. "This feature is already planned as top priority and we will work on it for several months. The rough ETA is by the end of March next year." – Ilya Chernomordik Nov 08 '21 at 11:09
0

You can achieve it by adding required role to service principle.

You don't require AAD graph permissions. You need to add the service principal to the Global Administrator Role using Azure portal->Azure AD->Roles and Administrators->Application Administrator enter image description here

Hari Krishna
  • 2,372
  • 2
  • 11
  • 24