Insufficient privileges to complete the operation with listing service principals using az ad sp list

3.3k views Asked by At

Hi I'm trying to use the Azure CLI command logged in a service principal

az ad sp list

and I get the error message Insufficient privileges to complete the operation.

The service principal is owner of the subscription and has been assigned Delegated API Permission Directory.Read.All for both Microsoft Graph and Azure Active Directory Graph.

I have a similar setup on another Azure tenant where the same command will give me a list of SP's with the same API permissions. What's missing.

1

There are 1 answers

1
Harshita Singh On

Apparently giving an SP the 'Owner' role is not enough. You have the give it the 'Directory Readers' role. This is not possible using the Azure CLI or Portal though. You have to use the Azure AD Graph API, easiest way to do this is using https://graphexplorer.azurewebsites.net/.

Now, the steps to add give the SP the Directory Readers role are a bit long to explain here, I found them here: https://lnx.azurewebsites.net/directory-roles-for-azure-ad-service-principal/