microsoftgraph
Azure role Application Administrator not supported?
I am Application Administrator in Azure AD. I log in with Connect-MgGraph and complete /devicelogin.
Calling Get-MgServicePrincipal -ServicePrincipalId xxx or anything else results in Get-MgServicePrincipal_Get2: Insufficient privileges to complete the operation.
It works when I log in with Connect-MgGraph -Scopes Directory.AccessAsUser.All.
Why is that? A bug or a feature?
Hi, I now understand that the role works, but Connect-MgGraph defaults to not claiming these permissions.
Would it be possible to add a sign-in message explaining what scopes were claimed and noting that user may want to select -Scopes Directory.AccessAsUser.All or pointing at a very brief doc about Graph Scopes?
Do not ask the user to always scan through complete documentation himself, give him the must-have just-in-time directly in the App experience.
@Tbohunek, this is valuable feedback for the workload owners. Workload APIs should ideally return an error message with the required permissions/scopes when an API request fails with a 403-status code (Insufficient privileges to complete the operation).
We currently have an ongoing work to document Connect-MgGraph and related commands with links to relevant online guides.
@maisarissi, we should surface the ask above to workload owners and AGS. This will make it easier for customers to know which permissions they need to consent to when a request fails with a 403.
We've added conceptual docs at https://learn.microsoft.com/en-us/powershell/microsoftgraph/get-started?view=graph-powershell-1.0#determine-required-permission-scopes that shows how to determine required scopes.