1

enter image description here

Roles in my app registration I can add users via Azure portal but it does not allow me to add service principals.

I extracted the web call what my browser does:

Invoke-WebRequest -UseBasicParsing -Uri "https://graph.microsoft.com/v1.0/servicePrincipals/1213111313131/appRoleAssignedTo" `
-Method "POST" `
-Headers @{
"Accept" = "*/*"
    "Authorization" = "Bearer asfsafsafasfsafsafsaf"
} `
-ContentType "application/json" `
-Body "{`"appRoleId`":`"32523532532`",`"resourceId`":`"32523532525`",`"principalId`":`"32523523`"}"

But when I put my app registration object id as principal id I get error "Not a valid reference update."

How can I add service principal?

Improve this question
1
  • Show you roles config - specifically user/groups vs. user/groups + apps column ("Allowed member types") in "app roles" tab. Commented 2 days ago

1 Answer 1

Reset to default
1

my app registration object id as principal id

Roles are not assigned to app registrations. The error message is really confusing though if this is the reason.

Anyway, you need to use the object ID of the service principal connected to the app registration. Either find it in the Enterprise applications list or click "Managed application in local directory" on the app registration.

To summarize, this is what you need:

POST /servicePrincipals/{id}/appRoleAssignedTo

Here {id} is the object ID of the service principal where the role is defined.

Then the parameters:

  • resourceId: Same object ID as in URL
  • principalId: Object ID of service principal the role should be granted to (what I described earlier)
  • appRoleId: Id of the role to grant

Even though roles are not assigned to app registrations, in this case since you do have an app registration, it would be good to also add the role as a required permission on that app registration for documentation's sake.

You can do that with an update to the application object:

{
  "requiredResourceAccess": [
    {
      "resourceAppId": "the-resourceId-value-from-before",
      "resourceAccess": {
        "id": "the-appRoleid-from-before",
        "type": "Role"
      }
    }
  ]
}

API doc: https://learn.microsoft.com/en-us/graph/api/application-update?view=graph-rest-1.0&tabs=http

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks. I managed to set it successfully now. I wonder if I just had licensing issue with my test tenant since it now works with same script.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.