ADDING "RoleManagementPolicy.Read.AzureADGroup" As Delegated Permissions (User Consent) Fails

Question

Hi,

  For automation purposes I'm writing a PowerShell script (all using native graph stuff, no powershell cmdlets!) that executes a number of steps, such as:

• authentication - WORKS
  • $clientId = "1b730954-1685-4b74-9bfd-dac224a7b894" #--------- Azure Active Directory PowerShell
    • $resource = "https://graph.microsoft.com" #------------------ Microsoft Graph API
    • check if account is member of Global Admins role - WORKS
    • Check if the User Access Admin role has been assigned or not, if not assign it - WORKS
    • Check if a service principal exists or not with appid "14d82eec-204b-4c2f-b7e8-296a70dab67e" (=Microsoft Graph Command Line Tools"), if not create it - WORKS
    • Check if an app role assignment exists or not for the running account, if not create the app role assignment - WORKS
    • Check if all required delegated permissions (see list below) exist as User Consent for running account, if not create the assignment if it does not exists at all, otherwise update the existing assignment for any missing delegated permissions - FAILS/WORKS (!!)
    with the last bullet you can see it either works or fails, depends on the scenario. I have been turning everything upside down to understand why either works or fails. Either way the "very special" delegated permissions is highlighted below and it is ALWAYS that one!   Scenarios:
• When existing USER consents exist (does not matter what, but as an example: email offline_access openid profile user.read): It always fails to be ADDED in case the highlighted delegated perm is in the list to be added. If it is not in the list all is OK!
• When NO USER consents exist, it always succeeds, whether the list includes the highlighted delegated permission or not

The error that I get is always (in the AAD Audit Logs): Microsoft.Online.DirectoryServices.DirectoryServiceException    and in PowerShell I get the following error (not that it provides more or better info, but at least it is complete) The remote server returned an error: (500) Internal Server Error. If it was an invalid access token (eg unauthorized) or access denied, i would expect it so say so, but it does not. Every single time it fails it is a Directory Service Exception, not even Bad Request (meaning whatever I'm executing has been specified incorrectly). This is more that something is not liked by the DS, but I have not clue WHAT WHY as no other info is given.   Anyone have a hint/tip?   [System.Collections.ArrayList]$requiredScopesList = @()
$requiredScopesList += "email"
$requiredScopesList += "offline_access"
$requiredScopesList += "openid"
$requiredScopesList += "profile"
$requiredScopesList += "User.Read"
$requiredScopesList += "AdministrativeUnit.Read.All"
$requiredScopesList += "Agreement.Read.All"
$requiredScopesList += "AgreementAcceptance.Read"
$requiredScopesList += "AgreementAcceptance.Read.All"
$requiredScopesList += "AuditLog.Read.All"
$requiredScopesList += "Directory.Read.All"
$requiredScopesList += "EntitlementManagement.Read.All"
$requiredScopesList += "Group.Read.All"
$requiredScopesList += "IdentityProvider.Read.All"
$requiredScopesList += "Organization.Read.All"
$requiredScopesList += "Policy.Read.All"
$requiredScopesList += "PrivilegedAccess.Read.AzureAD"
$requiredScopesList += "PrivilegedAccess.Read.AzureADGroup"
$requiredScopesList += "PrivilegedAccess.Read.AzureResources"
$requiredScopesList += "PrivilegedAccess.ReadWrite.AzureADGroup"
$requiredScopesList += "PrivilegedAssignmentSchedule.Read.AzureADGroup"
$requiredScopesList += "PrivilegedEligibilitySchedule.Read.AzureADGroup"
$requiredScopesList += "RoleAssignmentSchedule.Read.Directory"
$requiredScopesList += "RoleEligibilitySchedule.Read.Directory"
$requiredScopesList += "RoleManagement.Read.All"
$requiredScopesList += "RoleManagement.Read.Directory"
$requiredScopesList += "RoleManagementAlert.Read.Directory"
$requiredScopesList += "RoleManagementPolicy.Read.AzureADGroup" <== SPECIAL?
$requiredScopesList += "RoleManagementPolicy.Read.Directory"
$requiredScopesList += "User.Read.All" Thank you.   Best regards, jorge

Answer 1

This issue seems like a bug or an undocumented limitation within Microsoft Graph API. There are occasionally scopes that may cause issues when trying to add as a delegated permission.

You might want to try a few things:

1. Try to add the RoleManagementPolicy.Read.AzureADGroup scope separately after you've added all other scopes.
2. Try to add the RoleManagementPolicy.Read.AzureADGroup scope first before adding the other scopes.
3. Try to debug your script by adding one scope at a time to see if there are other scopes that cause this issue.

Also, please make sure that the account you're using to assign these permissions has the necessary rights to do so. In particular, it should have one of the following roles: Global Administrator, Privileged Role Administrator, Application Administrator, or Cloud Application Administrator. Here is the documentation on Permission and consent in the Microsoft identity platform. Another possibility is for this issue could be that the highlighted delegated permission "RoleManagementPolicy.Read.AzureADGroup" requires admin consent, which means that it cannot be granted by individual users and must be granted by an administrator. If the user running the PowerShell script does not have the necessary permissions to grant admin consent, then the script may fail to add this delegated permission to the list of required delegated permissions.

To resolve this issue, you may want to check if the user running the PowerShell script has the necessary permissions to grant admin consent for the highlighted delegated permission. If not, you may need to grant the user the necessary permissions or have an administrator grant admin consent for the delegated permission.