The reference target 'Application_xxxx-xxxx-xxxx' of type 'Application' is invalid for the 'owners' reference.

Apurva Pathak 315 Reputation points
2024-05-13T16:26:45.3366667+00:00

Hi folks,

I am trying to add an application as an owner to a few Azure AD group but encountering below error message:

"The reference target 'Application_xxxx-xxxx-xxxx' of type 'Application' is invalid for the 'owners' reference."

I tried with AzureAD PS module (Add-AzureADGroupOwner) as well as MS Graph (New-MgGroupOwnerByRef), but nothing works and throws the same error.

When I try to add the same app as owner manually through GUI (on Azure AD portal) that works fine.

Can anyone please help me with this.

Thanks in advance!

Apurva

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,775 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,133 questions
Microsoft Entra
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Hitesh Pachipulusu - MSFT 80 Reputation points Microsoft Vendor
    2024-05-13T17:33:21.6066667+00:00

    Hello @Apurva Pathak ,

    It seems like you’re encountering a issue when trying to add an application as an owner to an Azure AD group.

    Azure AD does not support adding applications as owners to groups directly. Instead, you should add the service principal of the application as the owner. The service principal represents the application in the directory and has a different object ID from the application object ID in app registrations.

    Here’s what you can try:

    Obtain the Object ID of the service principal associated with your application. You can find this in the Enterprise Applications section of the Azure portal.

    Use the Object ID of the service principal to add it as an owner to the Azure AD group.

    For example, using Microsoft Graph API, your request would look something like this:

    POST https://graph.microsoft.com/v1.0/groups/{GroupObjectID}/owners/$ref

    Content-type: application/json { "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{ObjectIdOfServicePrincipal}" }

    Make sure to replace {GroupObjectID} with the actual object ID of the group and {ObjectIdOfServicePrincipal} with the object ID of the service principal.

    You can use the above graph api call in Invoke-RestMethod powershell command or in Graph Explorer.

    For your reference, https://learn.microsoft.com/en-us/graph/api/group-post-owners?view=graph-rest-1.0&tabs=http, https://stackoverflow.com/questions/70167600/microsoft-graph-addowner-api-does-not-let-me-add-an-application-as-group-owner

    I tried in my environment using Graph Explorer.

    User's image

    User's image

    Hope this helps. If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".