Insufficient privilege for operation like Get-AzureADApplication and Set-AzureADApplication

Question

I would like to automate deployment and it requires to update settings for Azure AD Application registration.

So far I am able to :

• create an Azure AD Appregistration and Service Principal with certificate (thx MS documentation)
• then use command Connect-AzureAD with previous service Principal with its certificate
• use command like Get-AzureADApplication -ObjectId 11111111-2222-3333-4444-555555555555
• In previous bullet ObjectId 11111111-2222-3333-4444-555555555555 match with application i created on first bullet

However i am unable to execute command like:

• Get-AzureADApplication -Filter "DisplayName eq '$aADApplicationame'"
• and $aADApplicationame matches with application created previously
• Set-AzureADApplication -ObjectId $aADApplication.ObjectId -ReplyUrls $ReplyUrls
• Get-AzADServicePrincipal

I get following error message

Set-AzureADApplication : Error occurred while executing SetApplication Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation

Based on my research, i set up some API permissions as follow:

Unfortunately no luck and still get insufficient privilege although all permissions were granted. Do you know if I miss something ? Is there any specific permissions i should add to make it works ? Regards.

Answer 1

In the beginning thanks for previous posts it gave a lot of inspiration according topic. Problem occurred in our case at automated bicep mechanism that is supposed to add API permissions for Microsoft Graph.

Error: Authorization_RequestDenied

Solution: We needed to give Enterprise Application running mechanism Microsoft Graph (not Azure Active Directory Graph it will be deprecated) Application permissions:

• Application.ReadWrite.All
• AppRoleAssignment.ReadWrite.All
• Directory.ReadWrite.All

Answer 2

I was also facing similar issue, make sure are doing below two things:

1. Set Run as account for azure automation account
2. In newly created app registration for azure automation account after setting Run as account, make sure you add Cloud application administrator role explicitly.
3. Add API permission for Application.ReadWrite.All (Microsoft graph)

In my case the app registration was showing cloud application administrator role under Roles and Administrator screen, which I thought gives the new app registration required permission but that was not the case. PowerShell script only worked after we assigned the cloud application administrator role explicitly.

Answer 3

As mentioned by another reply, you could give the Global Administrator role to the service principal, it is correct, but the permission of Global Administrator is too large in this case, it may cause some security issues.

In this case, the commands Get-AzureADApplication and Set-AzureADApplication you used essentially call the Azure AD Graph API, so to solve the issue, a better solution is to add the permission of Azure AD Graph API, please follow the steps below.

1.Navigate to the API permissions of your AD App -> select Azure Active Directory Graph(not Microsoft Graph).

2.Select Application permissions(not Delegated permissions) -> Application.ReadWrite.All -> click Add permissions.

3.At last, click the Grant admin consent for xxx button.

After a while, try the commands again, it will work fine.

Update:

After I check the doc, I find there are already some new commands released by MS which call the Microsoft Graph, haven't seen them before.

e.g. In your case, you can use Get-AzureADMSApplication instead of Get-AzureADApplication.

Get-AzureADMSApplication -Filter "DisplayName eq 'joyttt'"

Use Set-AzureADMSApplication instead of Set-AzureADApplication.

Set-AzureADMSApplication -ObjectId <object-id> -Web @{ RedirectUris = "https://mynewapp.contoso.com/" }

For Get-AzADServicePrincipal, there is no equivalent currently, there should be one in the future. When using the commands above, the permissions of Microsoft Graph will work, no need to use Azure AD Graph, but you should use Application permission, not Delegated permission (you used the Delegated permission in your question.)

Answer 4

You are facing this issue because Powershell cmdlet works differently than compared to MS Graph. Instead of permissions, Powershell require roles to do this operations. Please add Global Administrator role to your service principle and then try the Connect-AzureAD so that, the issue will be fixed.

For more details, you may refer to Assigning administrator roles in Azure Active Directory.