Azure OIDC setup

Hi, I am trying to setup Azure OIDC authentication with Vault. I am following this guide Azure Active Directory with OIDC Auth Method and External Groups | Vault - HashiCorp Learn .

Aside GroupMember.Read.All, what other permissions do I need for the setup. When I run the command below, I get an ‘insufficient permissions error’

az ad app permission add \
   --id ${AD_VAULT_APP_ID} \
   --api ${AD_MICROSOFT_GRAPH_API_ID} \
   --api-permissions ${AD_PERMISSION_GROUP_MEMBER_READ_ALL_ID}=Scope

I will like to know the list of permissions needed to setup Azure OIDC with vault.

These permissions worked for my environment.

"Directory.Read.All",
"GroupMember.Read.All",
"User.Read",
"profile"

Are you getting the error in Azure or in Vault? If you’re getting the error in Azure do you have sufficient permissions to delegate access?

Thanks for your response. I am getting the error in Azure. I do not have any subscriptions in the Azure portal. I am guessing that could be the reason ?
I login into the Azure cli with the command ‘az login --allow-no-subscriptions’.

The app was created by another user in the portal. Do I need a subscription for the setup @jeffsanicola

That’s a bit beyond my knowledge of Azure, perhaps someone else with more knowledge can chime in?

However, doing a quick search, your account might need to be granted additional access. See Custom role permissions for app registration - Azure AD | Microsoft Docs for some more details.