Home > Back-end >  Non-Interactive - Get-MgUser : Insufficient privileges to complete the operation
Non-Interactive - Get-MgUser : Insufficient privileges to complete the operation

Time:10-27

I followed enter image description here

Thanks

CodePudding user response:

Your App Registration has the incorrect permissions. There are 2 types of permissions, delegated (aka scope), and application (aka role).

Reference: Permission types

For an "interactive" session, your app will be interacting on behalf of the user, therefore uses delegated permissions.

For a "non-interactive" session, your app will be acting as itself, so it needs application type permissions.

When connecting as an application ("non-interactive"), you also don't specify the -Scopes parameter

CodePudding user response:

To identify the permissions needed to run a specific cmdlet of the microsoft.graph module you can use the find-mgGraphCommand cmdlet, e.g.:

(Find-MgGraphCommand -Command get-mguser).permissions

To identify which permissions are assigned to the current session you can use the get-mgcontext cmdlet, e.g.:

(get-mgcontext).scopes

If you run a interactive session you have to specify the scopes, e.g.:

Connect-MgGraph -Scopes user.read.all

To connect in the context of a service principal by using a certificate you can do:

#Get the certificate used as secret from the Windows certificate store
$cert = Get-ChildItem  -Path 'Cert:\LocalMachine\MY' | ?{$_.thumbprint -eq $CertificateThumbprint}

#establish connection
connect-mggraph -certificate $cert -tenantid [tenantId] -clientId [clientId]

btw. clientId = objectId of the service principal

  • Related