Iam trying to determine the minimum user rights , roles I can assign a user just so they can pull information from Azure AD, etc.

Currently the commands I am looking into are : Get-AzureADDevice , Get-AzureADUser, Get-MsolDevice.

All documentation I find just lists uses, examples etc. but not rights and I am currently unable to test out a case by case from normal user up to admin to find which rights are required.

CodePudding user response：

Assigned the Global Reader role to the user and tested one of the given commands (Get-AzureADUser) in the Question.

Tried to update the user but not possible due to the role permission restrictions.

Note: Global Reader - Can read everything that a Global Administrator can, but not update anything.

Updated Answer:

Assigned the Directory Reader Role to the user and checked the workflow, able to get the information but not successful to update or do management work like updating/modifying the information using Azure Active Directory PowerShell Commands:

Workaround Result:

Note: Directory Reader Role - Can read basic directory information. Commonly used to grant directory read access to applications and guests.

Depending on your requirement, you can choose any of the above RBAC for the user.