Service account that logs into azure requires Global Admin rights to disable a cloud account RRS feed

  • Question

  • Was wondering if anyone might know with regard to permissions required by a service account that logs in non-interactively into azure -this is part of a script where trying to automate deprovisioning of admin accounts - so when an admin account in onprem AD gets disabled after that it triggers the service account to log into azure and run Update-AzAdUser -enabled account :$false - i have tried granting the service account directory and user readwriteall in MS Graph and consenting with administrator - but keep getting message ' unauthorised to perform this action' - this is because the account it attempts to block sign in on holds the Global Admin role  - only way i have got this to work is by adding the service account to the Global Administrator Role - then it works - user administrator gets the same unauthorised message.  I know it is not possible at the moment to create custom RBAC roles for Azure AD roles. Anyone experienced this or have a solution?
    Wednesday, April 29, 2020 8:01 AM