I have a service principal I've setup for my DevOps pipeline which I use to create service principals/apps for use by services I'm deploying via Azure CLI as follows:
az ad sp create-for-rbac --name TestAccount1 --skip-assignment
If I assign the following permissions to my DevOps service principal it works perfectly:
However that obviously triggers the deprecation alert but if I change the permissions to:
I get the following:
Directory permission is needed for the current user to register the application. For how to configure, please refer 'https://learn.microsoft.com/azure/azure-resource-manager/resource-group-create-service-principal-portal'. Original error: Insufficient privileges to complete the operation.
Am I missing a subtlety when it comes to Azure AD Graph vs Microsoft Graph aren't they just old and new APIs into the same Azure AD Tenant?
Obviously this cmd
az ad sp create-for-rbacis calling Azure AD Graph API in the background.The endpoints of AAD Graph and Microsoft Graph are different.
AAD Graph endpoint:
https://graph.windows.net/Microsoft Graph endpoint:
https://graph.microsoft.com/And when you assign the
Application.ReadWrite.Allpermission on Azure portal, you will find that this permission is actually under its corresponding endpoint.So if you add
Application.ReadWrite.Allpermission under Microsoft Graph, it won't allow you to call Azure AD Graph.