Granting Azure AD Service Principal a Azure AD Directory Role

Occasionally customers utilize Azure AD service principals for automation of Azure AD management tasks. In this scenario, you must grant the service principal the necessary Azure AD directory role permissions to complete the task. This can be performed using AzureADPreview PowerShell module

# Connect with Azure AD Global Admin or user with permissions

# Find Azure AD role by built in name
$role = Get-AzureADMSRoleDefinition -Filter "DisplayName eq 'Security Administrator'"

# Find Azure AD service principal by display name
$sp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'test123'"

# Assign Azure AD role to service principal
New-AzureADMSRoleAssignment -RoleDefinitionId $role.Id -PrincipalId $sp.ObjectId -ResourceScope "/"

NOTE: You can also now perform this directly from Azure AD Portal -> Roles and Administrators blade -> Role -> Add Assignments -> Select members -> Filter by service principal display name

Leave a Reply