Reputation: 1214
az ad app permission add - Insufficient privileges to complete the operation
I'm getting ERROR: Insufficient privileges to complete the operation. when running az ad app permission add
What permission do I need to grant my service principal for this to work?
I gave it the AppRoleAssignment.ReadWrite.All permission which says:
Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user.
Update: I also gave it Application.ReadWrite.All, but still getting the error.
Upvotes: 7
Views: 12793
Answers (4)
Reputation: 1214
az cli is getting updated to use MS Graph API according to: https://github.com/Azure/azure-cli/issues/12946#issuecomment-737196942
Presumably this update will occur before AAD Graph API is retired on 6/30/2022: https://github.com/azure-deprecation/dashboard/issues/178
Once az cli gets updated then Application.ReadWrite.All permission on MS Graph API should work.
Upvotes: 2
Reputation: 133
Since the Microsoft graph API is not working with the Azure CLI AD App permissions and the Azure AD graph API is deprecated from 2020 April, this can be achieved by giving Application administrator permissions to the AD app.
From Azure AD go to Roles and administrator > Application administrator.
Then Add assignment, find your client app and add it to the application administrator.
Upvotes: 9
Reputation: 133
There is a deprecation warning for the Azure AD Graph API as below.
This application is using Azure AD Graph API, which is on a deprecation path. Starting June 30th, 2020 we will no longer add any new features to Azure AD Graph API. We strongly recommend that you upgrade your application to use Microsoft Graph API instead of Azure AD Graph API to access Azure Active Directory resources
Also it seems the Microsoft Graph API is not working even though the relevant permissions are not provided.
Upvotes: 1
Reputation: 42043
I also gave it Application.ReadWrite.All, but still getting the error.
The Application.ReadWrite.All Application permission is enough. I suppose you gave the Application.ReadWrite.All permission in Microsoft Graph, it will not work. You need to use the Application.ReadWrite.All in Azure AD Graph, then it will work.
After giving the permission, wait for a while, run the command, it returns a warning, refresh the portal, you will find the API permission was added.
Upvotes: 8
Related Questions
- Can't use "az" to grant permissions to an app in Azure AD; getting a 403
- Failed to create an app in Azure Active Directory. Error: Insufficient privileges to complete the operation
- "az ad app permission list-grants" doesn't match what is listed for the app in the Azure Portal
- Add Graph API via az ad app permission fails
- How to give Azure AD application access to required permissions using powershell Az module
- Azure CLI for app registration creation from Azure DevOps - Insufficient privileges
- Azure AD: Failed to grant permission for application
- Azure AD App Registration: "AADSTS90094: The grant requires admin permission" error for permission that has "REQUIRES ADMIN" set to "No"
- Azure CLI Create AD App with AllowImplicit
- AAD Application Permission issue