3

I have a service principal account that I use to automate compute and resource management objects without issue. What I can't seem to interact with is the Azure AD side of the house. I am getting an

"azure.graphrbac.models.graph_error.GraphErrorException: Insufficient privileges to complete the operation"

I'm not sure where to go to add the correct privileges for this. Currently testing the following just to see if I can at least list users:

graph_credentials = ServicePrincipalCredentials(
client_id = CLIENT,
secret = KEY,
tenant = TENANT_ID,
resource = 'https://graph.windows.net'

graphrbac_client = GraphRbacManagementClient(graph_credentials, TENANT_ID)

for item in graphrbac_client.groups.list():
    print(item)

I've checked resources online and the SDK documentation, it looks like I'm doing it correctly. I'm sure it is something simple. I've also tried to use UserPassCredentials() but I get other errors. Don't want to use user creds for this anyway.

Permissions set: enter image description here

Improve this question
2
  • Please edit your question and include the permissions assigned to this service principal. More than likely you didn't include the permission to list groups operation (which require admin privileges BTW). Commented Oct 7, 2019 at 1:12
  • @GauravMantri, I added it. Thanks for pointing that out. Commented Oct 7, 2019 at 17:18

2 Answers 2

Reset to default
2

I suppose you have not granted the API permission to your AD App.

Navigate to your AD App in the portal -> API permissions -> grant the Azure Active Directory Graph with application permission(e.g. Directory.Read.All ), after adding permission, click Grant consent button at last.

enter image description here

Then I test it on my side, it works fine.

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

That didn't seem to do it either. I'm trying to automate, and forgive me if I am getting terms crossed. I created an 'app' under 'App Registration'. This is where I'm getting the client id, tenant id, and key. If that's all the same then adding the Graph API just as you show results in the same error. The Tenant ID is just a long string, correct? In some docs I see it as an FQDN.
@Nathan Please add the screenshot of the api permission of your application in the question.
I added the permissions in the OP.
1

I found out what the issue was. I was selecting the permissions under "Microsoft Graph" and that wasn't giving it the correct permissions. I didn't notice at the bottom of the API list was the Azure Active Directory Graph. I changed it there and it worked.

My question is now, this is listed as legacy. Should I be concerned with that? Is there a more proper way of doing this now?

Improve this answer

1 Comment

Don't worry, you can use the AAD Graph currently. The microsoft just recommend you to use Microsoft Graph, there is Microsoft Graph SDK now, but it does not support python. You can also call the MS Graph manually, learn.microsoft.com/en-us/graph/api/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.