Deprecated Azure AD Graph application permissions necessary to create groups

Marco Gerber 31 Reputation points

We create and assign Azure AD groups by script ( az ad group create ) via Azure pipelines and an app registration as service principal. In the docs it's stated that the Microsoft Graph API needs application permissions Group.Create, Group.ReadWrite.All and Directory.ReadWrite.All are necessary.

We tested with the following permissions, resulting in the error ERROR: Insufficient privileges to complete the operation.:

Microsoft Graph

  • Directory.Read.All
  • Group.ReadWrite.All
  • GroupMember.ReadWrite.All
  • User.Read.All

As soon as we add the deprecated Azure Active Directory Graph permission Directory.Real.All the group creation completes successfully. Are we missing anything here, since the Azure AD Graph API is on a deprecation path since June 30th 2020.


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,848 questions
0 comments No comments
{count} votes

0 additional answers

Sort by: Most helpful