Deprecated Azure AD Graph application permissions necessary to create groups

Question

We create and assign Azure AD groups by script ( az ad group create ) via Azure pipelines and an app registration as service principal. In the docs it's stated that the Microsoft Graph API needs application permissions Group.Create, Group.ReadWrite.All and Directory.ReadWrite.All are necessary.

https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=http

We tested with the following permissions, resulting in the error ERROR: Insufficient privileges to complete the operation.:

Microsoft Graph

• Directory.Read.All
• Group.ReadWrite.All
• GroupMember.ReadWrite.All
• User.Read.All

As soon as we add the deprecated Azure Active Directory Graph permission Directory.Real.All the group creation completes successfully. Are we missing anything here, since the Azure AD Graph API is on a deprecation path since June 30th 2020.

Thanks!

Answer 1

The Azure CLI seems to still use the old Azure AD Graph, thus the behavior you're seeing. You can monitor this GitHub issue for progress on switching to the MS Graph API: https://github.com/Azure/azure-cli/issues/12946
As mentioned therein, you can also use "az rest" for any AAD operations.