Share via

The reference target 'Application_xxxx-xxxx-xxxx' of type 'Application' is invalid for the 'owners' reference.

Apurva Pathak 610 Reputation points
2024-05-13T16:26:45.3366667+00:00

Hi folks,

I am trying to add an application as an owner to a few Azure AD group but encountering below error message:

"The reference target 'Application_xxxx-xxxx-xxxx' of type 'Application' is invalid for the 'owners' reference."

I tried with AzureAD PS module (Add-AzureADGroupOwner) as well as MS Graph (New-MgGroupOwnerByRef), but nothing works and throws the same error.

When I try to add the same app as owner manually through GUI (on Azure AD portal) that works fine.

Can anyone please help me with this.

Thanks in advance!

Apurva

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,274 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,597 questions
0 comments
Accepted answer
  1. Hitesh Pachipulusu - MSFT 3,000 Reputation points Microsoft Vendor
    2024-05-13T17:33:21.6066667+00:00

    Hello @Apurva Pathak ,

    It seems like you’re encountering a issue when trying to add an application as an owner to an Azure AD group.

    Azure AD does not support adding applications as owners to groups directly. Instead, you should add the service principal of the application as the owner. The service principal represents the application in the directory and has a different object ID from the application object ID in app registrations.

    Here’s what you can try:

    Obtain the Object ID of the service principal associated with your application. You can find this in the Enterprise Applications section of the Azure portal.

    Use the Object ID of the service principal to add it as an owner to the Azure AD group.

    For example, using Microsoft Graph API, your request would look something like this:

    POST https://graph.microsoft.com/v1.0/groups/{GroupObjectID}/owners/$ref

    Content-type: application/json { "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{ObjectIdOfServicePrincipal}" }

    Make sure to replace {GroupObjectID} with the actual object ID of the group and {ObjectIdOfServicePrincipal} with the object ID of the service principal.

    You can use the above graph api call in Invoke-RestMethod powershell command or in Graph Explorer.

    For your reference, https://learn.microsoft.com/en-us/graph/api/group-post-owners?view=graph-rest-1.0&tabs=http, https://stackoverflow.com/questions/70167600/microsoft-graph-addowner-api-does-not-let-me-add-an-application-as-group-owner

    I tried in my environment using Graph Explorer.

    User's image

    User's image

    Hope this helps. If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Apurva Pathak 610 Reputation points
    2024-08-22T15:46:19.3866667+00:00

    It got fixed after using ObjectId of the Enterprise Application.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.