The reference target 'Application_xxxx-xxxx-xxxx' of type 'Application' is invalid for the 'owners' reference.

Apurva Pathak 635 Reputation points
2024-05-13T16:26:45.3366667+00:00

Hi folks,

I am trying to add an application as an owner to a few Azure AD group but encountering below error message:

"The reference target 'Application_xxxx-xxxx-xxxx' of type 'Application' is invalid for the 'owners' reference."

I tried with AzureAD PS module (Add-AzureADGroupOwner) as well as MS Graph (New-MgGroupOwnerByRef), but nothing works and throws the same error.

When I try to add the same app as owner manually through GUI (on Azure AD portal) that works fine.

Can anyone please help me with this.

Thanks in advance!

Apurva

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,578 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,693 questions
0 comments No comments
{count} votes

Accepted answer
  1. Hitesh Pachipulusu - MSFT 3,545 Reputation points Microsoft Vendor
    2024-05-13T17:33:21.6066667+00:00

    Hello @Apurva Pathak ,

    It seems like you’re encountering a issue when trying to add an application as an owner to an Azure AD group.

    Azure AD does not support adding applications as owners to groups directly. Instead, you should add the service principal of the application as the owner. The service principal represents the application in the directory and has a different object ID from the application object ID in app registrations.

    Here’s what you can try:

    Obtain the Object ID of the service principal associated with your application. You can find this in the Enterprise Applications section of the Azure portal.

    Use the Object ID of the service principal to add it as an owner to the Azure AD group.

    For example, using Microsoft Graph API, your request would look something like this:

    POST https://graph.microsoft.com/v1.0/groups/{GroupObjectID}/owners/$ref

    Content-type: application/json { "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{ObjectIdOfServicePrincipal}" }

    Make sure to replace {GroupObjectID} with the actual object ID of the group and {ObjectIdOfServicePrincipal} with the object ID of the service principal.

    You can use the above graph api call in Invoke-RestMethod powershell command or in Graph Explorer.

    For your reference, https://learn.microsoft.com/en-us/graph/api/group-post-owners?view=graph-rest-1.0&tabs=http, https://stackoverflow.com/questions/70167600/microsoft-graph-addowner-api-does-not-let-me-add-an-application-as-group-owner

    I tried in my environment using Graph Explorer.

    User's image

    User's image

    Hope this helps. If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".


1 additional answer

Sort by: Most helpful
  1. Apurva Pathak 635 Reputation points
    2024-08-22T15:46:19.3866667+00:00

    It got fixed after using ObjectId of the Enterprise Application.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.