How to add Azure AD App as contributor to a subscription using Azure API/SDK?

Nivethitha Dhamodhara Kannan 0 Reputation points Microsoft Employee
2023-08-14T15:23:10.5633333+00:00
There is a management api to add role assignments to the subscription, but it's not allowing the Azure AD APP to be added as contributor to the sub, as it says the principal type "App" is not supported.

https://management.azure.com/subscriptions/b9bcd91a-e2be-484a-ae19-39183528792a/providers/Microsoft.Authorization/roleAssignments/b24988ac-6180-42a0-ab88-20f7382dd24c?api-version=2022-04-01

b24988ac-6180-42a0-ab88-20f7382dd24c - is the contributor role.

payload 
{
  "properties": {
    "roleDefinitionId": "/subscriptions/b9bcd91a-e2be-484a-ae19-39183528792a/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "principalId": "83c3f106-c212-409c-8275-3c399158786c",
    "principalType": "ServicePrincipal"
  }
}

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,832 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
790 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,370 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Sedat SALMAN 13,740 Reputation points
    2023-08-14T20:22:23.24+00:00

    First, find your Azure AD App's Service Principal ID.

    Use the Service Principal ID for the principalId field, and set principalType as "ServicePrincipal".

    {   
    	"properties": {     
    		"roleDefinitionId": "/subscriptions/YOUR_SUBSCRIPTION_ID/providers/Microsoft.Authorization/roleDefinitions/CONTRIBUTOR_ROLE_ID",     
    		"principalId": "YOUR_SERVICE_PRINCIPAL_ID",     
    		"principalType": "ServicePrincipal"   
    	} 
    }   
    

    Use the Azure REST API endpoint you have (or Azure SDK) to assign the role.

    this is the step-by-step approach to add an Azure AD App as a contributor to a subscription:


  2. 2023-09-12T20:41:05.1066667+00:00

    Hello @Nivethitha Dhamodhara Kannan , the PrincipalTypeNotSupported error encountered during the creation of a role assigment is caused by passing the Azure AD app registration (or just "application") object id as the principal id. Pass the Azure AD service principal object id instead to fix it. For more information about both models and how do they relate take a look to Application and service principal objects in Azure Active Directory.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.