Share via

Permissions error when trying to list Entra users / groups for access to a resource

James Kew 0 Reputation points
2024-08-22T09:41:34.8366667+00:00

Hi, in the past two months we have been getting an error message when trying to list, with the intention of adding, users from Entra to certain resources in Azure, such as PIM assignments or admin on a SQL database. The error is:

"You are not authorized to make some of the requests. Results may be incomplete."

The admin accounts we use have Contributor access in Azure and Global Reader in Entra, plus we can PIM to certain other roles but, for example, when you PIM to Privileged Role Admin and try to add users to a PIM role, you get the same error because it seems you don't have permissions to get the list of users / groups from Entra. However, if we PIM to Global Admin then we can add users with no issue so am thinking we must be missing a permissions somewhere?

To give a background on this, the issue seems to have started when our PIM roles expired and were then put back in place. My thinking is that we missed a permanent assignment somewhere but at the same time, we have permanent Global Reader so not sure why we'd be unable to list users from Entra.

My question is therefore, does anyone know the correct PIM role we would need to allow us to list the users / groups from the directory? Or can you think of anything else that might be causing the issue please?

Any help would be greatly appreciated.

Thanks,

Entra SQL Error

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
39,086 questions
Microsoft Entra

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ShaktiSingh-MSFT 15,301 Reputation points
    2024-08-30T04:39:08.61+00:00

    Hi James Kew •,

    Thanks for your patience.

    We got reply internally:

    The Global Administrator and Privileged Role Administrator roles are used to assign the Directory Readers role to the identity representing your SQL instance.

    The Directory Readers role should be the one to contain the permissions to list users / groups in Microsoft Entra ID.

    The MS Graph permissions which directly map to those actions are:

    1. list users: Users.Read.All

    and

    1. list groups/memberships: GroupMember.Read.All.

    If you could share more specific details about what operations you're seeing these failures in, that would be helpful. We can also engage the Microsoft Graph team which may have more details specific to roles. 

    Thanks

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.