Search code examples
azure-devopsazure-active-directorymicrosoft-graph-apiazure-rbacazureadgraph-deprecation

Azure AD Graph vs. MS Graph Application.ReadWrite.All


I have a service principal I've setup for my DevOps pipeline which I use to create service principals/apps for use by services I'm deploying via Azure CLI as follows:

az ad sp create-for-rbac --name TestAccount1 --skip-assignment

If I assign the following permissions to my DevOps service principal it works perfectly:

enter image description here

However that obviously triggers the deprecation alert but if I change the permissions to:

enter image description here

I get the following:

Directory permission is needed for the current user to register the application. For how to configure, please refer 'https://learn.microsoft.com/azure/azure-resource-manager/resource-group-create-service-principal-portal'. Original error: Insufficient privileges to complete the operation.

Am I missing a subtlety when it comes to Azure AD Graph vs Microsoft Graph aren't they just old and new APIs into the same Azure AD Tenant?


Solution

  • Obviously this cmd az ad sp create-for-rbac is calling Azure AD Graph API in the background.

    The endpoints of AAD Graph and Microsoft Graph are different.

    AAD Graph endpoint: https://graph.windows.net/

    Microsoft Graph endpoint: https://graph.microsoft.com/

    And when you assign the Application.ReadWrite.All permission on Azure portal, you will find that this permission is actually under its corresponding endpoint.

    enter image description here

    enter image description here

    So if you add Application.ReadWrite.All permission under Microsoft Graph, it won't allow you to call Azure AD Graph.