Interact with Graph using an RBAC role assigned to my enterprise app's service principal

Question

I am trying to access information via the Graph API using an app registration with a certificate - specifically using Graph PowerShell. The enterprise app assigned to this app registration has the appropriate assigned and consented to scopes (ServiceMessage.Read.All) and is also assigned an Entra ID RBAC role (Message Center Privacy Reader), which should allow me to access additional messages. However, it doesn't seem to be recognizing the RBAC role's permissions. As I can pull back content, but not the content accessible to the privacy reader role. How should I be forming this connection to make sure I'm getting the access I should be via that RBAC role?

Answer 1

The best thing to do here is to check the access token. While there is no direct way to expose the token, you can use the following workaround, thanks to the Invoke-MgGraphRequest cmdlet:

$request = Invoke-MgGraphRequest -uri "https://graph.microsoft.com/v1.0/admin/serviceAnnouncement/messages" -OutputType HttpResponseMessage

$request.RequestMessage.Headers.Authorization.Parameter | clip

The token will be copied to the clipboard, so go ahead and paste it over at jwt.ms to get the decoded values. Double-check the permissions ("scp" claim) and roles assigned ("wids" claim).

Other than that, it might be that said messages are simply not exposed via app authentication and only available via delegate permissions (user login).