@Peter Bartosinski - Thanks for reaching out to us.
@Roderick Bant -Thank you for providing the useful information.
Reiterating the solution here to reach broader audience and the community.
The error message means that you need to assign the "Reader" role at the /providers/Microsoft.Subscription scope
To resolve this, do the following:
- Make sure this setting (https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#azure-portal) is turned on so all Global Admins in the tenant have "User Access Administrator" permissions at the "/" scope
- Using a Global Admin of the AAD tenant, connect using the Az module and assign permissions to the service principal like this: Connect-AzAccount -Tenant xxxxxxxx $sp = Get-AzADServicePrincipal -DisplayName "appdisplayname" New-AzRoleAssignment -ObjectId $sp.Id -Scope /providers/Microsoft.Subscription -RoleDefinitionName "Reader"
- Then retry the operation with the service principal.
Hope this helps. and please feel free to reach out if you have any further questions.
If the above response was helpful, please feel free to "Accept as Answer" and "Upvote" the same so it can be beneficial to the community.