The Azure CLI seems to still use the old Azure AD Graph, thus the behavior you're seeing. You can monitor this GitHub issue for progress on switching to the MS Graph API: https://github.com/Azure/azure-cli/issues/12946
As mentioned therein, you can also use "az rest" for any AAD operations.
Deprecated Azure AD Graph application permissions necessary to create groups
![](https://techprofile.blob.core.windows.net/images/LWQU7WZ3mEWO4NdN6qVXeQ.png?8D84BF)
We create and assign Azure AD groups by script ( az ad group create
) via Azure pipelines and an app registration as service principal. In the docs it's stated that the Microsoft Graph API needs application permissions Group.Create
, Group.ReadWrite.All
and Directory.ReadWrite.All are necessary
.
https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=http
We tested with the following permissions, resulting in the error ERROR: Insufficient privileges to complete the operation.
:
Microsoft Graph
- Directory.Read.All
- Group.ReadWrite.All
- GroupMember.ReadWrite.All
- User.Read.All
As soon as we add the deprecated Azure Active Directory Graph permission Directory.Real.All
the group creation completes successfully. Are we missing anything here, since the Azure AD Graph API is on a deprecation path since June 30th 2020.
Thanks!
-
Vasil Michev 100.2K Reputation points MVP
2021-08-25T07:30:28.673+00:00