Get-MgSubscribedSku command succeed with azureapp has no Organization.Read.All permission

ShiRo 20 Reputation points
2023-10-30T09:53:14.7+00:00

It's about MicrosoftGraph application permissions for Azure apps.

I have an existing app in the Azure portal.

The app doesn't have the MicrosoftGraph application Organization.Read.All permission.

However, after connecting to Graph using this app (Connect-MgGraph -TenantId 'xx' -ClientID 'xx' -CertificateThumbprint 'xx'), the Get-MgSubscribedSku command is successful and the SKU information is retrieved.

What should I do to investigate the cause?

1

2

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,842 questions
{count} votes

Accepted answer
  1. Andy David - MVP 151.5K Reputation points MVP
    2023-10-31T11:30:37.0733333+00:00

    Ok, sorry, I misread that. In that case, check for any Entra directory roles the service principal maybe assigned.

    From your picture it appears to have the Exchange Admin role assigned? If so that might explain it as the Exchange admin has the ability to see all the 365 resources and the SKUs may fall under that scope:

    https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#exchange-administrator

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Andy David - MVP 151.5K Reputation points MVP
    2023-10-30T11:28:41.5066667+00:00

    The account you are using may already have the delegated permissions.

    If connecting with the default Graph PS module look up the Enterprise app in the portal and see what perms it has consented

    Microsoft Graph Command Line Tools with an AppId of 14d82eec-204b-4c2f-b7e8-296a70dab67


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.