Grant Entra ID permissions to service principal

Mobu 0 Reputation points Microsoft Vendor

Hi team, I'm confused with role assignment for service principal.

It seems there are 2 ways to grant permission to service principal (for example permission to read directory). One way is to assign an Entra role with directory read permission (such as Directory Reader) to the service principal. Another way is to add app role like Directory.Read.All. Are they just two alternative ways? Do they have the same effect?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,151 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,093 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Babafemi Bulugbe 2,680 Reputation points MVP

    Hello Mobu,

    Thank you for posting your query in the Microsoft Q&A Community.

    I understand you would like to know the difference between a Directory Reader role and a Directory.Read.All permission.

    Please be informed that the Directory.Read.All permission allows your app to read all the groups, apps, and some policies in your tenant. When this permission is granted, it provides broad access to various resources within the directory.

    However, the Directory Reader role provides fewer permissions compared to the Directory.Read.All. If assigned to a service principal or users, they are only able to access basic directory information.

    Follow this link to get more information about this.

    Let me know if you need more information.


    0 comments No comments

  2. Andy David - MVP 143.6K Reputation points MVP

    As far as I know ,there is not much difference, and you would only need to grant the SP the Directory reader role when the app you are using doesnt support the Graph Perms.See:

    User's image

    0 comments No comments