Azure Graph 403 Authorization_RequestDenied using service principal from VSTS

Question

I have a service principal that is used by VSTS to run an Azure Powershell script. The command i'm trying to call is Get-AzureRmRoleAssignment. I'm getting the following error message

  "Exception": {
     "Request": {
       "Method": "POST",
       "RequestUri": "https://graph.windows.net/********/getObjectsByObjectIds?api-version=1.6",
       "Properties": "System.Collections.Generic.Dictionary`2[System.String,System.Object]",
       "Headers": "System.Collections.Generic.Dictionary`2[System.String,System.Collections.Generic.IEnumerable`1[System.String]]"
     },
     "Response": {
       "StatusCode": 403,
       "ReasonPhrase": "Forbidden",
       "Content": {
         "odata.error": {
           "code": "Authorization_RequestDenied",
           "message": {
             "lang": "en",
             "value": "Insufficient privileges to complete the operation."
           }
         }
       },
       "Headers": "System.Collections.Generic.Dictionary`2[System.String,System.Collections.Generic.IEnumerable`1[System.String]]"
}
}

I've verified that the service principal has read access for role assignment.

Answer 1

Actually, this powershell script Get-AzureRmRoleAssignment doesn't only needs read access for role assignment with Azure REST API permission but also needs Read directory data permission with Azure AD Graph API.

We can use Fiddler to find out which API does this command calls:

It means that Get-AzureRmRoleAssignment needs call 3 APIs to complete the operation. Two of them are Azure REST API, one of them is Azure AD Graph API:

POST https://graph.windows.net/<tenantID>/getObjectsByObjectIds?api-version=1.6

Solution:

So, check if your sp has permissions to read directory data permission.(You'd better add Read directory data permission both Application permissions and Delegated permissions and then click Grant permissions button). Here is my test result:

Hope this helps!