Hello @Sam Hall · Thank you for reaching out.
Since the AppRoles are being assigned to the users, at the minimum it would require User Administrator role assigned to the users who will be performing App Role assignments.
Another way of doing this is via Graph Api with below delegated permissions along with minimum User Administrator role:
- AppRoleAssignment.ReadWrite.All
- Directory.AccessAsUser.All
Request:
Content-type: application/json
{
"principalId": "6cad4079-4e79-4a3f-9efb-ea30a14bdb26",
"principalType": "User",
"appRoleId":"454dc4c2-8176-498e-99df-8c4efcde41ef",
"resourceId":"f47a6776-bca7-4f2e-bc6c-eec59d058e3e"
}
Where,
"principalId": Object_ID_of_the_user,
"principalType": "User",
"appRoleId":"Object_ID_of_appRole, which can be fetched from App Manifest",
"resourceId": Object_ID_of_the_servicePrinicipal
Read more: https://learn.microsoft.com/en-us/graph/api/resources/approleassignment?view=graph-rest-1.0
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.