Share via

Needed permissions to create appRoleAssignment for an user

Francisco Javier Gomariz Abril 20 Reputation points Microsoft Employee
2025-02-22T14:05:01.0466667+00:00

I am trying to create an appRoleAssignment for an user. I see the same behavior using Microsoft Graph, the API or the Graph client. It works using Entra portal.

I have consented AppRoleAssignment.ReadWrite.All permission in Graph:
User's image

I am using the endpoint:

https://graph.microsoft.com/v1.0/users/{user-id}/appRoleAssignments

And the body and response are:

{
    "resourceId": "identifier of application with app roles",
    "appRoleId": "identifier of the app role",
    "principalId": "user-id"
}

And the response is:

{
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            ...
        }
    }
}

Am I missing something? Is the permission correct?

Thank you.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,309 questions
0 comments
Accepted answer
  1. Akhil Nasalwai - MSFT 895 Reputation points Microsoft External Staff
    2025-02-24T03:20:24.4933333+00:00

    Hello Francisco Javier Gomariz Abril,

    Thank you for reaching out to Microsoft!!

    For creating appRoleAssignment for a user using Graph API, in delegated scenarios please make sure one of the roles are present for the signed in user as per the official documentation referenced below:

    Link: Create appRoleAssignment

    User's image

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yakun Huang-MSFT 10,555 Reputation points Microsoft External Staff
    2025-02-24T05:15:24.2566667+00:00

    Hello Francisco Javier Gomariz Abril,

    Thank you for reaching out to Microsoft Support!

    According to the documentation, when using delegated permissions, the signed-in user must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. As shown in the picture below:

    User's image

    Please check if your account has the above roles.

    Reference document:

    https://learn.microsoft.com/en-us/graph/api/user-post-approleassignments?view=graph-rest-1.0&tabs=http

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    0 comments
  2. Francisco Javier Gomariz Abril 20 Reputation points Microsoft Employee
    2025-02-24T07:36:38.55+00:00

    Thank you @Yakun Huang-MSFT @Akhil Nasalwai - MSFT for your answer. The signed-in user is already a User Administrator and Global Administrator, so I think it is not the problem. And the same happens when I use Application permissions with AppRoleAssignment.ReadWrite.All.

    Always the same 403 response. Any other idea?

    Thank you.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.