Turned out the admin who was using the explorer wasn't using it in the correct way
Cannot assign Mail.Send Graph API permission to Managed Identity using Graph API
Alistair Young
51
Reputation points
I've been using the Graph API Explorer to add Mail.Send permissions to a Managed Identity but nothing happens. There isn't an error (200 OK) but the permissions in Azure AD Enterprise Apps for the Managed Identity never show.
POST
https://graph.microsoft.com/v1.0/servicePrincipals/MANAGED_IDENTITY_ID/appRoleAssignedTo
{
"principalId": "MANAGED_IDENTITY_ID",
"resourceId": "GRAPH_API_ID",
"appRoleId": "MAIL_SEND_APP_ROLE_ID"
}
The above doesn't return an error (but it doesn't return 201 Created) and no appRoles or permissions are affected.
Is there another way of using the Graph API to do this?
GET
https://graph.microsoft.com/v1.0/servicePrincipals/MANAGED_IDENTITY_ID/appRoleAssignedTo
shows empty roles.
The Mail.Send permission states:
"allowedMemberTypes": [
"Application"
],
and the Managed Identity is an Azure AD Application so it should be acceptable to give it this permission.