Share via

Graph API - Service Principal app role assignments, returns nothing

Chris 26 Reputation points
2024-06-27T19:16:18.2733333+00:00

I am trying to use the

https://graph.microsoft.com/v1.0/servicePrincipals/ServicePrincipalID/appRoleAssignment

API, however it does not return any results on the 1.0 or beta endpoint. Is this a known issue or am I doing something wrong?

I am using Powershell, MSAL module to get a token, and calling that as a GET request via Invoke-RestMethod. I have also tried the MG Graph PS module equivalent. I have validated that the MG Graph app in Entra ID has application.read.all (and my custom app for trying it directly).

graph.windows.net <-- This works either via direct API call or the Get-AzureADServiceAppRoleAssignment MSOLv2 PS command

graph.microsoft.com <-- Returns nothing either via direct API call or the Get-MgServicePrincipalAppRoleAssignment MG Graph PS command.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,507 questions
0 comments
Accepted answer
  1. Vasil Michev 116.9K Reputation points MVP
    2024-06-28T06:34:33.2766667+00:00

    The /appRoleAssignments endpoint returns application permissions consented to the given service principal. If delegate permissions are used instead, the /oauth2PermissionGrants endpoint is what you need.

    In both cases, if no consent has been granted, nothing will show on the SP object, even if the app object lists the permissions.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.