How to determine which API Permissions are necessary to run a particular Azure PowerShell command?

1
votes

I have a service principal that I use for automation. It has the Directory.Read.All permission in Microsoft Graph for our Azure Active Directory.

It cannot run the Set-AzSqlServerActiveDirectoryAdministrator command. The error I get is:

Cannot find the Azure Active Directory object 'My-AD-Group'.
Please make sure that the user or group you are authorizing is
registered in the current subscription's Azure Active directory.

If I run this same command as myself, it runs just fine.

Clearly my Service Principal needs more than the Directory.Read.All permission. Yet I cannot find any documentation that lists exactly what API Permissions my Service Principal would need to successfully run this command.

Does anyone know how I can discover exactly what API permissions would be required to run a particular Azure PowerShell command that involves accessing Azure Active Directory?

As an aside, I'm not tied to PowerShell. I cannot get this command to work with the az cli either. I'm open to methods using az that would get me this answer.

1
azureazure-active-directoryazure-powershellaz
I dont think there is a comprehensive list somewhere. I might be wrong, but I've never seen it4c74356b41

1 Answers

1
votes

You need to give the Directory.Read.All(Application permission) of Azure AD Graph API not the Microsoft Graph API. Also make sure the service principal has the permission of the sql server(e.g. the service principal is the Owner of the subscription or the sql server), then it will work fine.

If you want to add the service principal as a role of the subscription or sql server, navigate to the subscription or the sql server in the portal -> Access control (IAM) -> Add -> Add role assignment -> search your service principal with name and add it as a role(e.g. Owner) -> Save, more details here.

enter image description here

Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName "<ResourceGroupName>" -ServerName "<ServerName>" -DisplayName "group1" -ObjectId "64d1b8xxxxx4ffbd"

enter image description here

Does anyone know how I can discover exactly what API permissions would be required to run a particular Azure PowerShell command that involves accessing Azure Active Directory?

The Azure PowerShell essentially calls the different APIs, to get the permissions of the APIs, you could catch the request via Fiddler, then look into the official API doc for the permissions.