How to add application role assignment to an EntraID enterprise application?

Question

I have an Enterprise application which was created from Spacelift (Cloud integration with Azure).

Spacelift request does not create App registration, only service principal (Enterprise application). I want this service principal to have permissions to create new app registrations and app role assignments. I understand the enterprise application needs to have permission Application.ReadWrite.All (1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9) ref. https://docs.microsoft.com/en-us/graph/permissions-reference#all-permissions-and-ids, not delegated permission with the same name.

How can I add this permission to the enterprise application? I found this giude: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post-approleassignments?view=graph-rest-1.0&tabs=http but I do not understand what my resourceId should be. I want to run the command from powershell using Connect-MgGraph.

Answer 1

$graphSPN = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"

$permission = "Application.ReadWrite.All"

$appRole = $graphSPN.AppRoles |

Where-Object Value -eq $permission |

Where-Object AllowedMemberTypes -contains "Application"

Verify:

$appRole

$sp = Get-MgServicePrincipal -ServicePrincipalId <ID of App>

$bodyParam = @{

PrincipalId = $sp.Id

ResourceId  = $graphSPN.Id

AppRoleId   = $appRole.Id

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id -BodyParameter $bodyParam