Azure : Permission for Service Principal to get list of Service Principals

Question

I am using the Fluent Azure SDK for .NET to try fetching the list of all service principals in the tenant.

var authenticatedContext = Azure.Authenticate(
     await SdkContext.AzureCredentialsFactory.FromServicePrincipal(aadClientId, aadClientSecret, tenantId, "AzureGlobalCloud")
);

var sps = authenticatedContext.ServicePrincipals.ListAsync().GetAwaiter().GetResults();

The service principal with the AAD Client Id has Directory.Read.All API permission. (Just to be sure I'm not missing anything : I see this permission in ServicePrincipal -> Permissions section in the Azure Portal)

But still, the following error is thrown : Microsoft.Azure.Management.Graph.RBAC.Fluent.Models.GraphErrorException: Operation return an invalid status code 'Forbidden'

However, the callouts to get ADGroup and list of subscriptions work

var subs = authenticatedContext.Subscriptions.ListAsync().GetAwaiter().GetResults();

var sgs = authenticatedContext.Subscriptions.ActiveDirectoryGroups().GetByIdAsync(someId).GetAwaiter().GetResults();

I don't know what permissions are missing.

Answer 1

I test the code in my side, and use fiddler to catch the request. It seems the sdk request Azure AD graph api but not Microsoft graph api to list the service principals. So you need to add permission Directory.Read.All of AAD graph but not Microsoft graph. Please refer to the steps below:

After adding the permission, do not forget grant admin consent for it. Then you can run your code success to get the service principal.

By the way, there is a bug with AAD permission Directory.Read.All. If we add AAD permission Directory.Read.All into the registered app, then the permission can not be removed even if we remove it from the page. So you still can run the code success even if you remove the Directory.Read.All from "API permissions" tab on the page.