Issues regarding to the Azure app permission

Anchal Madankar 1 Reputation point
2020-03-18T11:45:19.613+00:00

Hello Team,

We want to know the approach for azure login without browser interaction and without providing the credentials. for that, We got the Azure CLI command i.e az login --service-principal -u -p --tenant

We are successfully login But, When we execute the below command i.e.

az ad app permission list --id

We got the error : Insufficient Privileges to complete the operations.

It will be very helpful if you provides the API and SDK for the same if available.

Kindly help us as soon as possible.

4891-app-permission.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,442 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2020-03-20T10:40:42.177+00:00

    @Anchal Madankar You need to assign Directory Writer role to the service principal first. Please follow below steps for this purpose:

    1. Run Get-AzureADDirectoryRole cmdlet and copy the object ID of the Directory Writers role.
    2. Run Get-AzureADServicePrincipal cmdlet and copy the object ID of the service principal.
    3. Run Add-AzureADDirectoryRoleMember -ObjectId object_ID_of_the_Directory_Writers_role -RefObjectId object_ID_of_the_service_principal to assign Directory Writer role to the service principal.
    4. Try running az ad app permission list --id. You should be able to run the command successfully.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.
  2. Shashi Shailaj 7,581 Reputation points Microsoft Employee
    2020-03-18T13:41:59+00:00

    Hello @Anchal Madankar ,

    when you registered the service principal an app would have been registered there in your azure AD tenant . You require to logon to Azure Portal with Global admin account so that you can make this modification . In case you are not the global admin , you will need to contact your internal IT team who would have global administrator rights within your tenant . With the app registrations section , you will need to go to API permissions to provide the application API permissions it needs to list the information. Please take a look at the screenshots below.

    4901-adperm.jpg

    This will open a left pane listing all the APIs available along with any APis your organization is using or have created.

    4852-apiperm.jpg

    I am not sure which type of application do u have but you can request for delegated permissions for your application/service principal or app permissions depending upon the details as mentioned .

    4902-delapp.jpg

    With the details that you have provided in the screenshot , I am assuming you would need application object permissions as below. But I am not sure of your needs so you may have to check the existing permissions on the graph API to find what fits your need.

    4882-appperm3.jpg

    Anything that says Admin consent requires would require you to first set all the permissions and contact global admin for tenant wide consent . The global admin would need to logon to azure portal and go to this app within App registrations blade and provide the admin consent by clicking "**Grant Admin consent to tenant **"as shown in the first image here . You can read more about permissions and consent here.

    Hope this helps. In case the information provided in this post helps you , please do accept this as answer so that its helpful for other members of the community searching for similar answers . In case you have any queries , please do let us know.

    Thank you.