No details on SP permissions to enable AAD management

[TheAzureGuy]

This is a great sample covering the key scenarios. However, there is no explanation as to what specific permissions a service principal needs to be granted in AAD to be able to add users, modify role assignment. All attempts to get this sample to work with a custom SP were hopeless. I'm getting a cryptic CloudException back without any details whatsoever. Would appreciate your advise.

Selected subscription: xxxxx Creating an Active Directory user Test 76e11025a212d11af... Microsoft.Rest.Azure.CloudException: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown. at Microsoft.Azure.Management.Graph.RBAC.Fluent.DomainsOperations.<ListWithHttpMessagesAsync>d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.Management.Graph.RBAC.Fluent.DomainsOperationsExtensions.<ListAsync>d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.Management.Graph.RBAC.Fluent.ActiveDirectoryUserImpl.<CreateResourceAsync>d__23.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.Management.ResourceManager.Fluent.Core.ResourceActions.Creatable4.<Microsoft-Azure-Management-ResourceManager-Fluent-Core-ResourceActions-IResourceCreator-CreateResourceAsync>d__15.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.Management.ResourceManager.Fluent.Core.DAG.CreatorTaskItem1.<ExecuteAsync>d__6.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.Management.ResourceManager.Fluent.Core.DAG.TaskGroupBase1.d__14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.Management.ResourceManager.Fluent.Core.Extensions.Synchronize[TResult](Func1 function) at ManageUsersGroupsAndRoles.Program.RunSample(IAuthenticated authenticated) at ManageUsersGroupsAndRoles.Program.Main(String[] args)

[mersadk]

I agree, it would save a lot of time if this information was available.

I was able to create user by giving following permission to my application.
Azure Active Directory Graph -> Application permissions -> Directory.ReadWrite.All