Search code examples
azureazure-devopsazure-active-directoryazureadgraph-deprecationazure-adal-deprecation

ADAL to MSAL - Insufficient privileges to complete the operation


I have a scenario where I need to add an application to a security group from a DevOps pipeline. I have the following scenario that is working just fine:

  1. in pipeline I have the following powershel script:
if (!((Get-AzADGroupMember -ObjectId ((Get-AzADGroup -DisplayName $groupName).id)).DisplayName -eq $appName)) {Add-AzADGroupMember -MemberObjectId (Get-AzADServicePrincipal -DisplayName $appName).id -TargetGroupObjectId (Get-AzADGroup -DisplayName $groupName).id} else {"member is already part of the group"}
  1. the service principal has API permission of Azure Active Directory Graph with Directory.Read.All permission:

enter image description here

  1. the service principal is owner of the security group:

enter image description here

The problem is that Azure Active Directory Graph is on a deprecation path so I changed the permission to the recommended Microsoft Graph permission:

enter image description here

but now I receive the "Insufficient privileges to complete the operation." error

enter image description here

Please could anybody advise what else do I need to configure for this to work?

Thank you.


Solution

  • Although AAD Graph is on a deprecation path, the permissions of MS Graph and AAD graph cannot be confused, they are not the same.

    You can use fiddler4 to capture the request of Powershell Az cmdlet and find that it is actually calling AAD Graph rather than MS Graph at the bottom.

    When we use an access token to call the official API, the API needs to verify if the access token is valid.

    There is a claim named aud which means the resource you are calling. When you assign MS Graph permissions (for example: https://graph.microsoft.com/user.read) in Azure AD app, but the resource you are calling is AAD Graph https://graph.windows.net/, the MS Graph permission won't certainly be included in the access token. And at this time the required permission should be https://graph.windows.net/user.read. That is why you get the error Insufficient privileges to complete the operation.

    So in this case, you should continue using AAD Graph permissions.

    Don't worry about the retirement of AAD Graph. Before that day, MS should be able to provide a migration from AAD Graph to MS Graph or other way to make it still work without doing much from users.