Share via

MS Graph API - failing to create Service Principal for just created Application in B2C

Diego Barnech 20 Reputation points
2026-05-07T13:12:05.1166667+00:00

I have been doing this process for years now. All is scripted and running with Azure Pipelines.

There is set of scripts that very high level do the following:

  1. Gets an MS Graph access token using client credentials (there is a pre-created Application that has full access to the B2C)
  2. Checks the desired Application exists using MS Graph API (filter by display name)
  3. If the Application does not exist
    1. Invokes the MS Graph to create the application, using a manifest JSON file
      1. Got valid response, Application 'testapp1' created with ID 443038c5-b192-4c2e-bca4-a6a30d228c4e and App ID d9acb82c-981d-465c-aabc-1090917b4842.
    2. Invokes the MS Graph to create the service principal for the just created application (using the appId returned from previous step)
      1. EXCEPTION: An unexpected error occurred: Microsoft Graph request failed: POST https://graph.microsoft.com/v1.0/servicePrincipals returned HTTP 400: {"error":{"code":"Request_BadRequest","message":"The appId 'd9acb82c-981d-465c-aabc-1090917b4842' of the service principal does not reference a valid application object.","details":[{"code":"NoBackingApplicationObject","message":"The appId 'd9acb82c-981d-465c-aabc-1090917b4842' of the service principal does not reference a valid application object.","target":"appId","blockedWord":"","prefix":"","suffix":""}],"innerError":{"date":"2026-05-07T12:52:47","request-id":"04bc5a7a-92cb-4653-a9e4-732f94f5aeea","client-request-id":"04bc5a7a-92cb-4653-a9e4-732f94f5aeea"}}}

Is there anything wrong with this approach?

Should I now "wait" before calling the servicePrincipals creation?

Is this a bug?

Microsoft Security | Microsoft Graph
0 comments

Answer accepted by question author

AI answer

2026-05-07T13:12:21.52+00:00

The approach is correct, but the failure indicates that the tenant doesn’t yet “know” about the application when the service principal is being created.

The error

The appId '…' of the service principal does not reference a valid application object. code: NoBackingApplicationObject

means Microsoft Graph cannot find a backing application object for the appId supplied when calling POST /servicePrincipals.

From the documented behavior of POST /servicePrincipals, the request body must contain a valid appId that already exists as an application in the same tenant:

POST https://graph.microsoft.com/v1.0/servicePrincipals
Content-type: application/json

{
  "appId": "65415bb1-9267-4313-bbf5-ae259732ee12"
}

If that appId does not resolve to an existing application, Graph returns a bad request, as in the error seen.

This typically happens when:

  • The application was just created and the directory has not fully propagated the object yet, or
  • The application was created in a different tenant than the one where the service principal is being created, or
  • The appId value passed is not exactly the one of the created application.

Given that the scripts create the application immediately before creating the service principal, this is most likely a propagation/timing issue.

To make the process reliable:

  1. After creating the application, explicitly confirm that the application is visible in Microsoft Graph using its appId or id before creating the service principal, for example by calling GET /applications?$filter=appId eq '{appId}'.
  2. If the application is not returned, implement a short retry loop with backoff (for example, retry every few seconds up to a reasonable timeout) until the application is found.
  3. Only when the application is successfully retrieved, call POST /servicePrincipals with the same appId.

This avoids relying on immediate consistency and removes the need for an arbitrary fixed “sleep,” while handling transient directory propagation delays.

Note that in Azure AD B2C scenarios, service principals are created the same way as in standard tenants; the requirement remains that the appId must reference an existing application object in that tenant.

This behavior is not documented as a bug; it is consistent with the requirement that POST /servicePrincipals must reference an existing application and with the eventual consistency of directory operations.

References:

AI-generated content may be incorrect. Read our transparency notes for more information.

Was this answer helpful?

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.