Thanks for reaching out.
Sorry for delayed response as I was testing few scenario on my lab as well checking with respective team internally.
I hope you are using this flow Get access on behalf of a user from service principal and accessing Graph API to make AAD role assignment request. You must define appropriate “PrivilegedAccess” in scope when you request an access token code. This may vary based on type of call you make through graph API, for an example if you make a call to AAD role assignment request then it must contain “PrivilegedAccess.ReadWrite.AzureAD”.
I had used below format for requesting an access token code, and when I tried to make a graph API call to assign "AAD role" which worked fine for me without any issue. In similar way, if you don’t mentioned respective “PrivilegedAccess” in scope then I get “Code: UnauthorizedAccessException Message: Attempted to perform an unauthorized operation”
In my lab I had assigned this role "Privileged role Administrator" for user and service principal with Directory.AccessAsUser.All (Delegated scope)
Authorization request and Token Request:
GET
https://login.microsoftonline.com/e3bcda0c-dafb-4640-975a-3af8d1d63a27/oauth2/v2.0/authorize?
&client_id=8eb4a445-25f5-40f4-9f54-8ef85d324255
&response_type=code
&redirect_uri=https%3A%2F%2Fjwt.ms
&response_mode=query
&scope=PrivilegedAccess.Read.AzureAD+PrivilegedAccess.Read.AzureADGroup+PrivilegedAccess.Read.AzureResources+
PrivilegedAccess.ReadWrite.AzureAD
+PrivilegedAccess.ReadWrite.AzureADGroup+PrivilegedAccess.ReadWrite.AzureResources+
Directory.AccessAsUser.All
&state=12345
POST https://login.microsoftonline.com/atriumph.onmicrosoft.com/oauth2/v2.0/token
Body
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=PrivilegedAccess.Read.AzureAD+PrivilegedAccess.Read.AzureADGroup+PrivilegedAccess.Read.AzureResources+
PrivilegedAccess.ReadWrite.AzureAD
+PrivilegedAccess.ReadWrite.AzureADGroup+PrivilegedAccess.ReadWrite.AzureResources+
Directory.AccessAsUser.All
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&client_secret=************ // NOTE: Only required for web apps
Graph API roleAssignmentRequests call
POST: https://graph.microsoft.com/beta/privilegedAccess/aadRoles/roleAssignmentRequests
Body
{
"resourceId": "e3bcda0c-dafb-4640-975a-3af8d1d63a27",
"roleDefinitionId": "644ef478-e28f-4e28-b9dc-3fdde9aa0b1f",
"subjectId": "1972af6f-fa92-441e-865a-615b4485f426",
"type": "AdminAdd",
"assignmentState": "Eligible",
"schedule": {
"startDateTime": "2021-04-27T02:19:11.77+05:30",
"endDateTime": "2021-07-26T02:19:11.77+05:30",
"type": "Once"
}
}
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.