Get-MgSubscribedSku command succeed with azureapp has no Organization.Read.All permission

ShiRo 20 Reputation points

It's about MicrosoftGraph application permissions for Azure apps.

I have an existing app in the Azure portal.

The app doesn't have the MicrosoftGraph application Organization.Read.All permission.

However, after connecting to Graph using this app (Connect-MgGraph -TenantId 'xx' -ClientID 'xx' -CertificateThumbprint 'xx'), the Get-MgSubscribedSku command is successful and the SKU information is retrieved.

What should I do to investigate the cause?



Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
9,188 questions
{count} votes

Accepted answer
  1. Andy David - MVP 134.2K Reputation points MVP

    Ok, sorry, I misread that. In that case, check for any Entra directory roles the service principal maybe assigned.

    From your picture it appears to have the Exchange Admin role assigned? If so that might explain it as the Exchange admin has the ability to see all the 365 resources and the SKUs may fall under that scope:

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Andy David - MVP 134.2K Reputation points MVP

    The account you are using may already have the delegated permissions.

    If connecting with the default Graph PS module look up the Enterprise app in the portal and see what perms it has consented

    Microsoft Graph Command Line Tools with an AppId of 14d82eec-204b-4c2f-b7e8-296a70dab67