New-AzureADServiceAppRoleAssignment throws Error when use it without Global Admin account

Question

I am using .Net Core App with hosting it on Azure Portal. Now at some place I need to use Get the detail of logged in User (Active Directory user) in the application. So for that I am using Microsoft Graph API. So to setup this permission I am using Get-AzureADServiceAppRoleAssignment command. It is working fine when I run this command with Global Administrator account access. But it throws error when I used it without Global Administrator account access. Error: Service_InternalServerError. as shown in below image.

Anyone have an idea or suggestions how to get rid of this error, and Is there any way to run this script without Global Admin access?

Any help or suggestions will be highly appreciated ! Thanks

Answer 1

Assign the Cloud Application Administrator directory role to the affected user and try again.

Answer 2

the problem here is you don't necessarily need global admin, but the application/user would need a role that has at least roleassignment permissions. so you could create a custom role at the subscription level that has role assignment permissions. you need "Microsoft.Authorization/roleAssignments/" and maybe "Microsoft.Management/managementGroups/read" "Microsoft.Authorization/roleDefinitions/"

However, I would like to point out that if an application has role assignment permissions, it can technically assign itself a global admin role.. so it doesn't add any extra real security.