ADAL to MSAL - Insufficient privileges to complete the operation

Szasz Ludovic 21 Reputation points
2021-01-30T20:47:57.187+00:00

I have a scenario where I need to add an application to a security group from a DevOps pipeline. I have the following scenario that is working just fine:

  1. in pipeline I have the following powershel script:

if (!((Get-AzADGroupMember -ObjectId ((Get-AzADGroup -DisplayName $groupName).id)).DisplayName -eq $appName)) {Add-AzADGroupMember -MemberObjectId (Get-AzADServicePrincipal -DisplayName $appName).id -TargetGroupObjectId (Get-AzADGroup -DisplayName $groupName).id} else {"member is already part of the group"}

  1. the service principal has API permission of Azure Active Directory Graph with Directory.Read.All permission:

62124-image.png

  1. the service principal is owner of the security group:

62125-image.png

The problem is that Azure Active Directory Graph is on a deprecation path so I changed the permission to the recommended Microsoft Graph permission:

62176-image.png

but now I receive the "Insufficient privileges to complete the operation." error

62205-image.png

Please could anybody advise what else do I need to configure for this to work?

Thank you.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,542 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,696 Reputation points
    2021-02-01T09:42:57.25+00:00

    Hi @Szasz Ludovic · Thank you for reaching out.

    The AzAD PowerShell cmdlets still use Azure AD Graph API i.e. https://graph.windows.net. Granting permission to Microsoft Graph API is applicable for the calls made with https://graph.microsoft.com API.

    If you capture a fiddler trace while executing Get-AzADGroupMember cmdlet, you can see below call being made in the backend:

    https://graph.windows.net/<your_tenant_id>/groups?api-version=1.6

    So, you still need to have Azure AD Graph API permissions in place if you are using PowerShell to fetch information from Azure AD.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.