Share via

Microsoft Graph resourceID not found when assigning appRole in Microsoft Graph API

Mark Johnson 50 Reputation points
2024-09-25T13:35:19.29+00:00

Hi,

I’m currently developing automation software for our company’s IT team that leverages the Microsoft Graph API to gather and analyze basic Azure profiles of our employees, applying custom logic for internal processes.

While assigning application-level permissions to a service principal using the Graph API, I encountered an issue. Specifically, I’m attempting to use the /appRoleAssignments endpoint to grant the User.ReadBasic.All permission to my application, but I keep running into problems.

Here’s the request data I sent to:

https://graph.microsoft.com/v1.0/servicePrincipals/{servicePrincipalId}/appRoleAssignments

{
  "principalId": "{servicePrincipalId}",
  "resourceId": "00000003-0000-0000-c000-000000000000", 
  "appRoleId": "97235f07-e226-4f63-ace3-39588e11d3a1"
}

I have verified that:

  • The principalId is correct (it’s the service principal ID of the app I created).
  • The resourceId (Microsoft Graph's appId: 00000003-0000-0000-c000-000000000000) exists in my tenant. I confirmed this by querying: https://graph.microsoft.com/v1.0/servicePrincipals?$filter=servicePrincipalNames%2Fany%28c%3Ac%20eq%20%2700000003-0000-0000-c000-000000000000%27%29 which results in a json object containing all the appRoles and more.
  • The appRoleId corresponds to the User.ReadBasic.All application permission for Microsoft Graph.

Problem:

Despite all the checks, when I attempt to assign the permission, I receive the following error in the response:

{
	"code": "Request_ResourceNotFound",
	"message": "Resource '00000003-0000-0000-c000-000000000000' does not exist or one 			of its queried reference-property objects are not present."
}

What I’ve Tried:

  • Verified that the 00000003-0000-0000-c000-000000000000 service principal (Microsoft Graph) exists in my tenant.
  • Checked that the access token I'm using includes delegated permissions, but I understand these permissions should be sufficient since I am a Global Admin.
  • Tried reassigning the app roles and verifying IDs again with the GET /servicePrincipals endpoint.

Questions:

  1. What could be causing this issue where the resourceId (Microsoft Graph's service principal) is not being found, even though it clearly exists in the tenant?
  2. Is there a specific permission or configuration step I might be missing in my tenant or application that could be preventing the assignment from working?
  3. Could this be related to the access token I’m using, and if so, how can I ensure that my token includes the necessary permissions for appRoleAssignments?

Any advice or guidance would be greatly appreciated!

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,993 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,113 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,250 questions
0 comments
Accepted answer
  1. Vasil Michev 106.6K Reputation points MVP
    2024-09-25T16:52:57.0766667+00:00

    You have to use the objectID of the Graph service principal, not its client ID ("00000003-0000-0000-c000-000000000000").

    2 people found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.