powershellazure-active-directoryazure-functions
Error occurred while executing GetUsers Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation
I try to get users from AAD by an Azure Function (PowerShell) with managed identity.
This is my code:
Import-Module AzureAD -UseWindowsPowerShell
Connect-AzAccount -identity
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
$body = "Hi I'm $($context.Account.Id)"
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id
$allUsers = Get-AzureADUser -All $True
I give my managed identity this permissions:
This is the error:
Error occurred while executing GetUsers Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation
Do I miss some permissions to read users from AAD?
Solution
Initially I got the same error:
I assigned below permissions to the managed identity:
The GitHub blog you are referring states that you have to assign User Administrator role to the managed identity.
Hence to resolve the error, assign active User Administrator role to the managed identity:
Now, when I executed the same script, I got the list of users successfully:
using namespace System.Net
# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)
Import-Module AzureAD -UseWindowsPowerShell
Connect-AzAccount -Identity
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
$body = "Hi I'm $($context.Account.Id)"
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id
$allUsers = Get-AzureADUser -All $True
$allUsers
You can also modify the script to display the output in table format:
using namespace System.Net
# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)
Import-Module AzureAD -UseWindowsPowerShell
Connect-AzAccount -Identity
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
$body = "Hi I'm $($context.Account.Id)"
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id
$allUsers = Get-AzureADUser -All $True
$allUsers | Format-Table -Property ObjectId, DisplayName, UserPrincipalName
$tableOutput = $allUsers | Format-Table -Property ObjectId, DisplayName, UserPrincipalName | Out-String
$tableOutput
If still the issue persists, try this command Connect-AzAccount -Identity -AccountId XXX (Pass the Application ID of the identity)
- How to `Import-Module` in PowerShell to parent session/process?
- close and 'save as' for 100 of MS Paint files at once?
- `Invoke-Conda` cannot catch any arguments after powershell 7.5.0 update
- Powershell profile.ps1 cannot be loaded because its operation is blocked by software restriction policies
- How can I capture the value of an untranslated SID in a Try/Catch code block?
- PowerShell .Count returns 1 on empty array
- How can I filter out text twice in Powershell?
- SharePoint | Delete Version History using PnP PowerShell
- WinRM cannot complete the operation. Verify that the specified computer name is valid
- Using start-process in a loop, where some programs will have arguments and some don't; Way to not have if $Arguments -ne $null
- How can I set left/right column justification in Powershell's "format-table"
- Invalid operands found for operator -eq
- Detect when user cancels $host.ui.promptforchoice prompt
- How can I make sure Powershell will correctly render all non-latin characters into the output?
- How can I choose between $MyInvocation.ScriptName and $MyInvocation.PSCommandPath in PowerShell?
- Azure pipeline template: dynamically retrieve and story keyvault secrets
- Maintaining property order with get-member
- PowerShell - Return an array of all possible properties for an ADObject
- List objects vs. Arrays in PowerShell
- Run Invoke-Command in remote computer as administrator
- Authenticate to Azure with certificate from Linux
- How to recursively append to file name in powershell?
- Mapped network drives are not showing in My Computer
- Delete files in a folder except a list of extensions I specify
- How to open 'This PC' using CMD or Powershell?
- transfer the files from sub folder and sub folders recursively without specifying the folder name
- Im creating a VM using terraform code in GCP. I would like to inject a script that runs when the vm is created upon startup
- Remove-ItemProperty does not seem to work with -LiteralPath
- How can I elevate Powershell while keeping the current working directory AND maintain all parameters passed to the script?
- How do I remove or replace a built in alias in powershell?