Azure-pipelines-tasks: Azure PowerShell task: Insufficient privileges to complete the operation

@Jaffacakes82 The azure powershell task, logs into azure account using -ServicePrincipal as authorization scheme. Our understanding is you cannot access other Service Principals unless your selected service principal has appropriate permissions or you login as user.
One workaround could be, you login as user (only possible if you do not use multiple factor authentication) through a normal powershell task.
In the meanwhile, we will check on any permissions that could be provided to make this work.

@Jaffacakes82 You can add permissions to your app in ADD. In the portal go to your app, settings, Required Permissions. Click on Add, select API and select permission. Can you try with permssions as under:
For API Windows Azure Active Directory:

For API Microsoft Graph:

For trial you can provide all permissions instead of only those in screenshot.
Also few of these permissions can only be provided if you are an Admin.

@SumiranAgg thanks for your response, I will try and add some of these permissions and let you know how it goes.

Please can you confirm my understanding that the Azure PowerShell task attempts to login as the Service Principal created in Azure AD that gets added when creating a service endpoint from a VSTS project to an Azure subscription?

@Jaffacakes82 Yes that is correct. Also you might have multiple service endpoints in your VSTS project. The task logs-in with the service endpoint you select in the task under "Azure Subscription".

@SumiranAgg thanks for the clarification. Can you also clarify what the delegated permissions does? For example, If I am a Global Administrator in the directory, does that delegate those same permissions to the Service Principal?

@SumiranAgg I added the following permissions:

_Read/Write Directory Data_ to the Windows Azure AD API
_Read Directory Data_ to the Microsoft Graph API

This still didn't grant the Service Principal access to read AD data. I will have a chat with my IT team and see if they're happy to grant the delegated permissions/all other permissions although I imagine they will shout at me 😄.

@Jaffacakes82 Just for my understanding, did you add permissions to the app corresponding to service principal used in the task? You can find your add by using the service principal ID in search field for "App Registrations" in AAD.

@SumiranAgg Yes, I clicked 'Manage Service Principal' in the VSTS project settings for the appropriate subscription and added the permissions there.

@Jaffacakes82 I recreated the scenario and It worked with only below permissions for me:

Please use this document for reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#configure-a-client-application-to-access-web-apis

Very strange, it still doesn't work for me.

I have reverted to using a service account in our Azure AD to grant the key vault access as opposed to the VSTS service principal and this has resolved my issue.

@Jaffacakes82 Glad that you were able to resolve it.
Please reopen if you get blocked with this again.

Can this be re-opened please as having the exact same issue, and not able to revert to key vault access to do what I am doing.