Hi I'm trying to use the Azure CLI command logged in a service principal
az ad sp list
and I get the error message Insufficient privileges to complete the operation.
The service principal is owner of the subscription and has been assigned Delegated API Permission Directory.Read.All for both Microsoft Graph and Azure Active Directory Graph.
I have a similar setup on another Azure tenant where the same command will give me a list of SP's with the same API permissions. What's missing.
Apparently giving an SP the 'Owner' role is not enough. You have the give it the 'Directory Readers' role. This is not possible using the Azure CLI or Portal though. You have to use the Azure AD Graph API, easiest way to do this is using https://graphexplorer.azurewebsites.net/.
Now, the steps to add give the SP the Directory Readers role are a bit long to explain here, I found them here: https://lnx.azurewebsites.net/directory-roles-for-azure-ad-service-principal/