Are appRoleIds ever allowed in preAuthorizedApplications?

James Morton 20 Reputation points
2024-06-06T06:12:32.37+00:00

According to https://learn.microsoft.com/en-us/graph/api/resources/preauthorizedapplication?view=graph-rest-beta, "In some rare cases, an identifier listed in the permissionIds property may refer to an app role (from the service principal's appRoles property), indicating that the client application identified by the appId property has been preauthorized for that app role."

Does anyone know in what cases this might occur?

I have a use case in which this would be helpful: I'm developing a multi-tenant solution, and so being able to preauthorize another service principal to my app without requiring tenant administrator consent would be beneficial.

Since in beta, the property is just called permissionIds, I tried using an appRoleId in the permissionIds property, but it threw "Property api.preAuthorizedApplications.permissionIds has a Permission Id that cannot be found in the DelegatedPermissions set."

I tried, out of curiosity, adding an appRoleIds property to the preAuthorizedApplication resource, and to my surprise, rather than returning a 400 error about an invalid property name, Graph returned a 403 access denied error. This makes me believe that preauthorizing app roles is available as an internal feature.

Does anyone know if such a feature will ever be released?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,106 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,154 questions
{count} votes

Accepted answer
  1. Raja Pothuraju 550 Reputation points Microsoft Vendor
    2024-06-18T09:05:52.24+00:00

    Hello @James Morton,

    Thank you for your patience and allowed me time to look into your issue.

    I understand that you are trying to preauthorize another service principal to your app without requiring tenant administrator consent, and you are curious about whether appRoleIds are allowed in preAuthorizedApplications and if there is any internal feature available for preauthorizing app roles.

    After checking with my internal, I can confirm you that appRoleIds are not currently allowed in preAuthorizedApplications.

    According to https://learn.microsoft.com/en-us/graph/api/resources/preauthorizedapplication?view=graph-rest-beta, "In some rare cases, an identifier listed in the permissionIds property may refer to an app role (from the service principal's appRoles property), indicating that the client application identified by the appId property has been preauthorized for that app role."

    Earlier they made it for some customers, but it's not working now. Thanks for pointing this and we are working internally with authors to update the documentation.

    Hope this includes all the information that you were looking for.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    Thanks,
    Raja Pothuraju


0 additional answers

Sort by: Most helpful