I suggest you ...

← (General Feedback)

Allow granular management access of AAD groups by service principals

We have a scenario where we would like to use automation to manage membership of an AAD group.

We assign group owner permissions to the service principal. However, operations against that group (using Powershell cmdlets like Add-AzureAdGroupMember) fail with a 403 Forbidden.

We cannot grant Directory.ReadWrite permissions to the AAD application, because that would allow write permissions on the entire AAD directory, not just the group that the AAD application owns.

According to Azure support, the scenario where I would like my service principal to manage groups that it owns is not currently possible. Can we make it possible?

60 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Alan Chen shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

0 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment

(General Feedback): azure.microsoft.com

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice