Hi @Vish ,
The error message means that you need to assign the "Reader" role at the /providers/Microsoft.Subscription scope
To resolve this, do the following:
- Make sure this setting (https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#azure-portal) is turned on so all Global Admins in the tenant have "User Access Administrator" permissions at the "/" scope
- Using a Global Admin of the AAD tenant, connect using the Az module and assign permissions to the service principal like this: Connect-AzAccount -Tenant xxxxxxxx $sp = Get-AzADServicePrincipal -DisplayName "appdisplayname" New-AzRoleAssignment -ObjectId $sp.Id -Scope /providers/Microsoft.Subscription -RoleDefinitionName "Reader"
- Then retry the operation with the service principal.
Let me know if this helps resolve the issue.
Thanks,
Marilee