Cannot assign Mail.Send Graph API permission to Managed Identity using Graph API

Alistair Young 51 Reputation points
2022-06-28T06:48:42.09+00:00

I've been using the Graph API Explorer to add Mail.Send permissions to a Managed Identity but nothing happens. There isn't an error (200 OK) but the permissions in Azure AD Enterprise Apps for the Managed Identity never show.

POST  
https://graph.microsoft.com/v1.0/servicePrincipals/MANAGED_IDENTITY_ID/appRoleAssignedTo  

{  
  "principalId": "MANAGED_IDENTITY_ID",  
  "resourceId": "GRAPH_API_ID",  
  "appRoleId": "MAIL_SEND_APP_ROLE_ID"  
}  

The above doesn't return an error (but it doesn't return 201 Created) and no appRoles or permissions are affected.

Is there another way of using the Graph API to do this?

GET  
https://graph.microsoft.com/v1.0/servicePrincipals/MANAGED_IDENTITY_ID/appRoleAssignedTo  

shows empty roles.

The Mail.Send permission states:

"allowedMemberTypes": [  
    "Application"  
],  

and the Managed Identity is an Azure AD Application so it should be acceptable to give it this permission.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,991 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,145 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Alistair 1 Reputation point
    2022-06-28T09:16:17.18+00:00

    Turned out the admin who was using the explorer wasn't using it in the correct way


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.