question

Sara-4922 avatar image
0 Votes"
Sara-4922 asked Sara-4922 commented

Can't view license info via service principal using AzureAD powershell module

I'm not new to powershell or AzureAD, but I am new to the AzureAD powershell module, service principals, Applications, app registrations, and the Microsoft Graph API. As an admin vs a dev, nearly everything about azure applications is greek to me.
However, with new cybersecurity requirements wanting MFA on everything I thought it was time to write some powershell using a service principal instead of a username and password.

Initially, I'm just looking to gather the list of assigned O365 licenses.

I created an app registration, which seems to have created an application and service principal.
I went into the api permissions on my app registration/application and granted Microsoft Graph API LicenseAssignment.ReadWrite.All , said Yes as an Administrator.
I created a self signed cert and uploaded it to my app registration/application
I got the AzureAD module, connected to my tenant using my application/service principal and its certificate.

I try running Get-AzureADSubscribedSku and get the following error:
Get-AzureADSubscribedSku : Error occurred while executing GetSubscribedSkus
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.

What am I missing here?

Above command works fine if I sign in with a normal global admin account.

windows-server-powershellazure-ad-app-registrationmicrosoft-graph-notes
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AndyDavid avatar image
0 Votes"
AndyDavid answered Sara-4922 commented
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yay, another thing to install and more half-baked commandlets because a certain portion of the population loves new no matter how bad it is.

Thanks, I will dig into this and give it a try tomorrow. Hopefully they haven't replaced it with something else by then. :)

0 Votes 0 ·

@Sara-4922 Did you grant LicenseAssignment.ReadWrite.All application permission? Note, not delegated permissions.

1 Vote 1 ·

Yes, I did grant that, and application, not delegated.

0 Votes 0 ·

OK, after fighting with this a bit I got connected with the application and cert, and still got insufficient privileges. I tried adding more perms for read user, read directory, and readwrite directory. Still not working. Looked up userid and tried an object id vs samaccountname or UPN, still not working. Killed my powershell session and connected a new one, now I can do a Get-MgUserLicenseDetail on a userid and get info back. I think I need a different command to get the info I want- get-mgsubscribedsku might be enough, if I can figure out how to work with it to the point where I can select the right plan and the consumedunits- the documentation for the mgcommandlets is really lacking- they need a lot more examples.

Thanks for the help all, I think I have enough here to eventually get to what I need though I might have to revert back to azuread or msol modules.

0 Votes 0 ·