Azure CLI - Will "az ad" be updated to use Microsoft Graph API?

Question

az ad app permission add needs Azure Active Directory Graph - Application.ReadWrite.All: az ad app permission add - Insufficient privileges to complete the operation

However, Azure AD Graph API is being deprecated. Will az ad at some point be updated to use Microsoft Graph API instead?

Answer 1

According to this comment from a member of the Azure cli team, they plan to migrate az ad to MS Graph: https://github.com/Azure/azure-cli/issues/12946#issuecomment-737196942

Azure CLI team is currently working on the ADAL -> MSAL migration. We will start the planning and implementation of Active Directory Graph -> Microsoft Graph migration once the previously task is done. + @achandmsft

Answer 2

You can achieve it by adding required role to service principle.

You don't require AAD graph permissions. You need to add the service principal to the Global Administrator Role using Azure portal->Azure AD->Roles and Administrators->Application Administrator

Answer 3

az ad manage Azure Active Directory Graph entities needed for Role Based Access Control. And it is still using AD Graph API but not the new Microsoft Graph API. You could feedback to UserVoice.

You could call Microsoft Graph API with az rest in Azure CLI, see here.

Since Microsoft Graph Service Principal API is GA, we recommend using az rest instead of az ad for the time being until we fully migrate az ad to Microsoft Graph.