0

I was hoping to get some advice on the following issue: I am using System-assigned identity in my automation account for authentication. The role assignment for that system-assigned identity is "Owner" and the Scope is "Subscription".

When I run this command "Connect-AzAccount -Identity" - everything works as expected. However, the next command which is the second one in the script - "Get-AzADApplication" -fails with "Insufficient privileges to complete the operation.".

Why am I unable to list all the applications under my tenant when my system managed identity has the "Owner" role? What am I missing here?

Mark T
  • 13
  • 2
  • try with `-debug` option to get some logs what's happening there – Aatif Akhter Nov 26 '21 at 23:55
  • @AatifAkhter Thank you! I tried your suggestion and I got: "code": "Authorization_RequestDenied". Caught exception, type: Microsoft.Azure.Graph.RBAC.Models.GraphErrorException However, I gave my system-assigned identity permissions to use Microsoft Graph Read and write directory data, which I believe should allow it to retrieve AD data? – Mark T Nov 27 '21 at 12:27
  • owner roles are more into azure rbac, but here you are dealing with graph API which is a different service than azure sub (rbac) . May I know how could you provide the graph read permissions to your system assigned identity? – Jayendran Nov 28 '21 at 11:58
  • @Jayendran I followed this document - https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-microsoft-graph-as-app?tabs=azure-powershell%2Cprogramming-language-csharp, and used the script under "Grant access to Microsoft Graph" to provide the permissions. – Mark T Nov 28 '21 at 14:08
  • hmm. looks like an ad vs graph API thing but not sure. 1.can you try to give the legacy [ad application API permission](https://stackoverflow.com/a/66656268/7073340) instead of Microsoft graph API? 2. Try the rest API (invoke-restapi) to call the graph API directly This will rule out if the issue is due to the graph vs ad thing – Jayendran Nov 29 '21 at 04:59
  • Can you please try adding Directory.Read.All permission to it as well .. in the script it has only User.Read.All – Ansuman Bal Nov 29 '21 at 10:21
  • @MarkT were you able to follow what I mentioned. Any update? – Jayendran Dec 03 '21 at 04:07

0 Answers0