You have to use the objectID of the Graph service principal, not its client ID ("00000003-0000-0000-c000-000000000000").
Microsoft Graph resourceID not found when assigning appRole in Microsoft Graph API
Hi,
I’m currently developing automation software for our company’s IT team that leverages the Microsoft Graph API to gather and analyze basic Azure profiles of our employees, applying custom logic for internal processes.
While assigning application-level permissions to a service principal using the Graph API, I encountered an issue. Specifically, I’m attempting to use the /appRoleAssignments
endpoint to grant the User.ReadBasic.All
permission to my application, but I keep running into problems.
Here’s the request data I sent to:
https://graph.microsoft.com/v1.0/servicePrincipals/{servicePrincipalId}/appRoleAssignments
{
"principalId": "{servicePrincipalId}",
"resourceId": "00000003-0000-0000-c000-000000000000",
"appRoleId": "97235f07-e226-4f63-ace3-39588e11d3a1"
}
I have verified that:
- The
principalId
is correct (it’s the service principal ID of the app I created). - The
resourceId
(Microsoft Graph'sappId
:00000003-0000-0000-c000-000000000000
) exists in my tenant. I confirmed this by querying:https://graph.microsoft.com/v1.0/servicePrincipals?$filter=servicePrincipalNames%2Fany%28c%3Ac%20eq%20%2700000003-0000-0000-c000-000000000000%27%29
which results in a json object containing all the appRoles and more. - The
appRoleId
corresponds to theUser.ReadBasic.All
application permission for Microsoft Graph.
Problem:
Despite all the checks, when I attempt to assign the permission, I receive the following error in the response:
{
"code": "Request_ResourceNotFound",
"message": "Resource '00000003-0000-0000-c000-000000000000' does not exist or one of its queried reference-property objects are not present."
}
What I’ve Tried:
- Verified that the
00000003-0000-0000-c000-000000000000
service principal (Microsoft Graph) exists in my tenant. - Checked that the access token I'm using includes delegated permissions, but I understand these permissions should be sufficient since I am a Global Admin.
- Tried reassigning the app roles and verifying IDs again with the
GET /servicePrincipals
endpoint.
Questions:
- What could be causing this issue where the
resourceId
(Microsoft Graph's service principal) is not being found, even though it clearly exists in the tenant? - Is there a specific permission or configuration step I might be missing in my tenant or application that could be preventing the assignment from working?
- Could this be related to the access token I’m using, and if so, how can I ensure that my token includes the necessary permissions for
appRoleAssignments
?
Any advice or guidance would be greatly appreciated!