Permissions required to run Remove-AzureRMAdGroup

Question

I'm using an SPN to remove an Azure AD group (Remove-AzureRMAdGroup), but get the error insufficient privileges.

I granted the SPN the following permissions:

Active Directory Graph (2) - Application Read and write all applications - Application Read and write directory data

Microsoft Graph (1) - Application Read and write groups

What permissions are apparently missing here? If we assign the SPN the Azure AD role UserAccountAdmin it works, but we'd prefer to have least privileged access.

Answer 1

Currently, the Read and write directory data permission does not include the ability to do any deletions such as deleting groups. What you need is microsoft.directory/groups/delete permission.

But there is no support today for custom roles in Azure Active Directory. Only the predefined Administrator Roles. You have to grant the SPN the Azure AD role User administrator role which include group deletion permission.

Here are the steps.