question

AnchalMadankar-0136 avatar image
0 Votes"
AnchalMadankar-0136 asked ·

Issues regarding to the Azure app permission

Hello Team,

We want to know the approach for azure login without browser interaction and without providing the credentials. for that, We got the Azure CLI command i.e az login --service-principal -u -p --tenant

We are successfully login But, When we execute the below command i.e.

az ad app permission list --id

We got the error : Insufficient Privileges to complete the operations.

It will be very helpful if you provides the API and SDK for the same if available.

Kindly help us as soon as possible.

4891-app-permission.png


azure-active-directory
app-permission.png (20.3 KiB)
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

shashishailaj avatar image
0 Votes"
shashishailaj answered ·

Hello @AnchalMadankar-0136 ,

when you registered the service principal an app would have been registered there in your azure AD tenant . You require to logon to Azure Portal with Global admin account so that you can make this modification . In case you are not the global admin , you will need to contact your internal IT team who would have global administrator rights within your tenant . With the app registrations section , you will need to go to API permissions to provide the application API permissions it needs to list the information. Please take a look at the screenshots below.

4901-adperm.jpg

This will open a left pane listing all the APIs available along with any APis your organization is using or have created.

4852-apiperm.jpg

I am not sure which type of application do u have but you can request for delegated permissions for your application/service principal or app permissions depending upon the details as mentioned .

4902-delapp.jpg

With the details that you have provided in the screenshot , I am assuming you would need application object permissions as below. But I am not sure of your needs so you may have to check the existing permissions on the graph API to find what fits your need.

4882-appperm3.jpg

Anything that says Admin consent requires would require you to first set all the permissions and contact global admin for tenant wide consent . The global admin would need to logon to azure portal and go to this app within App registrations blade and provide the admin consent by clicking "Grant Admin consent to tenant "as shown in the first image here . You can read more about permissions and consent here.

Hope this helps. In case the information provided in this post helps you , please do accept this as answer so that its helpful for other members of the community searching for similar answers . In case you have any queries , please do let us know.

Thank you.



adperm.jpg (74.7 KiB)
apiperm.jpg (112.5 KiB)
delapp.jpg (65.9 KiB)
appperm3.jpg (91.7 KiB)
· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your quick reply,

Actually, We are able to list and add the permission to the registered App through the Azure portal.

but, We want azure CLI/SDK/API to make the way dynamic. so is there any dynamic way from azure login to app permission set by using API/SDK/CLI without interaction to the portal?

0 Votes 0 ·
amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered ·

@AnchalMadankar-0136 You need to assign Directory Writer role to the service principal first. Please follow below steps for this purpose:

  1. Run Get-AzureADDirectoryRole cmdlet and copy the object ID of the Directory Writers role.

  2. Run Get-AzureADServicePrincipal cmdlet and copy the object ID of the service principal.

  3. Run Add-AzureADDirectoryRoleMember -ObjectId object_ID_of_the_Directory_Writers_role -RefObjectId object_ID_of_the_service_principal to assign Directory Writer role to the service principal.

  4. Try running az ad app permission list --id. You should be able to run the command successfully.


Please "Accept as answer" wherever the information provided helps you to help others in the community.



· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AnchalMadankar-0136 Have you had a chance to test the above steps? If the issue is resolved please "Accept as answer" to help others in the community. If you have any further questions, please let me know.

0 Votes 0 ·
PrashuDA avatar image PrashuDA amanpreetsingh-msft ·

@amanpreetsingh-msft
I ran Get-AzureADDirectoryRole, it doesnt list out "Directory Writers" instead it has "Directory Reader". How can I add "Directory Writers" ?
Get-AzureADServicePrincipal , What do you mean by Object ID of the service principal ?

0 Votes 0 ·