Revoke app role assignment from service principal not working

Question

Hi there,

I'm reporting this issue here because I first reported it here: https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3142 and was routed to Microsoft Graph support page, where I couldn't find a bug reporting page and the known issues page is rendering an error.

When I invoke the endpoint to revoke a service principal app role assignment it fails with Status 400 and the message: Invalid resource identifier for EntitlementGrant. I have tried this both on powershell and C# SDK and am using a valid SP id and app role assignment id (I used to same one to create the app role). I also tried with several different valid app role ids and each fails with this error. Is this a known bug? When will it get fixed or is there working call for revoking app role assignments for service principals? I've attached a screenshot executing from powershell

Answer 1

That's not how you use the endpoint, the identifier of an AppRoleAssignment is not a GUID. You seem to be passing the identifier for a AppRoleId instead, which will not work. Do a GET query against /servicePrincipals/{servicePrincipalid}/appRoleAssignments first to get the id of the corresponding AppRoleAssignment, then use said id in the Delete operation.