I have a service principal that I use for automation. It has the Directory.Read.All
permission in Microsoft Graph for our Azure Active Directory.
It cannot run the Set-AzSqlServerActiveDirectoryAdministrator
command. The error I get is:
Cannot find the Azure Active Directory object 'My-AD-Group'.
Please make sure that the user or group you are authorizing is
registered in the current subscription's Azure Active directory.
If I run this same command as myself, it runs just fine.
Clearly my Service Principal needs more than the Directory.Read.All
permission. Yet I cannot find any documentation that lists exactly what API Permissions my Service Principal would need to successfully run this command.
Does anyone know how I can discover exactly what API permissions would be required to run a particular Azure PowerShell command that involves accessing Azure Active Directory?
As an aside, I'm not tied to PowerShell. I cannot get this command to work with the az
cli either. I'm open to methods using az
that would get me this answer.