Jan 052019
 

Occasionally customers utilize Azure AD service principals for automation of Azure AD management tasks. In this scenario, you must grant the service principal the necessary Azure AD directory role permissions to complete the task. The Azure AD Portal does not allow you to grant service principals directory roles. For this you must use Azure AD PowerShell. Below is an example of granting your service principal the “Directory Reader” role.

Connect-AzureAD
$sp = Get-AzureADServicePrincipal -ObjectId <object ID of service principal>
Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Directory Readers"}).Objectid -RefObjectId $sp.ObjectId

You could just as easily assign your principal Directory Writers role as well if this is what you will use it for

Connect-AzureAD
$sp = Get-AzureADServicePrincipal -ObjectId <object ID of service principal>
Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Directory Writers"}).Objectid -RefObjectId $sp.ObjectId