This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 45%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
I'm not new to powershell or AzureAD, but I am new to the AzureAD powershell module, service principals, Applications, app registrations, and the Microsoft Graph API. As an admin vs a dev, nearly everything about azure applications is greek to me.
However, with new cybersecurity requirements wanting MFA on everything I thought it was time to write some powershell using a service principal instead of a username and password.
Initially, I'm just looking to gather the list of assigned O365 licenses.
I created an app registration, which seems to have created an application and service principal.
I went into the api permissions on my app registration/application and granted Microsoft Graph API LicenseAssignment.ReadWrite.All , said Yes as an Administrator.
I created a self signed cert and uploaded it to my app registration/application
I got the AzureAD module, connected to my tenant using my application/service principal and its certificate.
I try running Get-AzureADSubscribedSku and get the following error:
Get-AzureADSubscribedSku : Error occurred while executing GetSubscribedSkus
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
What am I missing here?
Above command works fine if I sign in with a normal global admin account.
Try using the PS Graph SDK instead:
https://learn.microsoft.com/en-us/graph/powershell/installation
Note the AzureAD Module is being deprecated:
https://learn.microsoft.com/en-us/powershell/microsoftgraph/migration-steps?view=graph-powershell-beta
Yay, another thing to install and more half-baked commandlets because a certain portion of the population loves new no matter how bad it is.
Thanks, I will dig into this and give it a try tomorrow. Hopefully they haven't replaced it with something else by then. :)
@Sara Did you grant LicenseAssignment.ReadWrite.All application permission? Note, not delegated permissions.
Yes, I did grant that, and application, not delegated.
OK, after fighting with this a bit I got connected with the application and cert, and still got insufficient privileges. I tried adding more perms for read user, read directory, and readwrite directory. Still not working. Looked up userid and tried an object id vs samaccountname or UPN, still not working. Killed my powershell session and connected a new one, now I can do a Get-MgUserLicenseDetail on a userid and get info back. I think I need a different command to get the info I want- get-mgsubscribedsku might be enough, if I can figure out how to work with it to the point where I can select the right plan and the consumedunits- the documentation for the mgcommandlets is really lacking- they need a lot more examples.
Thanks for the help all, I think I have enough here to eventually get to what I need though I might have to revert back to azuread or msol modules.
