TechQA.

Azure AD: Grant an appRoleAssignment for a service principal is failing with "code": "Request_ResourceNotFound"

2.8k views Asked by At

I am trying to create a "service principal" for application and to grant admin consent for the permissions using Microsoft graph API.

I followed the following steps:

  1. Created application in a tenant using graph API. My request body is:

    {
  "displayName": "AppWithPermissions",
  "requiredResourceAccess": [
    {
      "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
      "resourceAccess": [
        {
          "id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
          "type": "Role"
        }
      ]
    }
  ]
}

  2. Created a service principal for the above-created application. The creation was successful.

  3. Now, I want to grant admin consent to each assigned permission programmatically using graph API.

  4. To grant application permissions, I created an app role assignment in the appRoleAssignedTo collection of the API's service principal: The request was as follows:

    Post request:

    https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo

    Request body:

    {
    "principalId": "principal_id",
    "resourceId": "resource_id",
    "appRoleId": "approle_id"
}

Here,

  1. "principal_id" is the "id" of service principal created in step 2 above.
  2. "approle_id" is the id of the appRole you want to grant. (taken "id" value from "resourceAccess" array present in "requiredResourceAccess")
  3. "id" in http request url and "resource_id" are the same. (taken "resourceAppId" value from "requiredResourceAccess" which is corresponds to "approle_id" given above)

After running the query, I am getting error 404. "code": "Request_ResourceNotFound" for the "resource_id"/"id" field.

  • Adding screenshots for better understandings:
  1. App Creation:

enter image description here

  1. service principal creation:

enter image description here

  1. Grant an appRoleAssignment for a service principal:

enter image description here

I am confused about which IDs to use where and didn't get a clear idea from the documentations. Can any one please resolve my query? Thanks in advance.

azure-active-directory microsoft-graph-api azure-service-principal
Original Q&A
2

There are 2 answers

6
Philippe Signoret On BEST ANSWER

It looks like you're using the appId instead of the id value.

In an app role assignment, resourceId is the id of the servicePrincipal for the resource app (in your case, the API). In an application object's requiredResourceAccess, you use appId, which is a different value.

To find the id of a service principal for which you know the appId:

GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '{app-id}'

The response will contain the id property of the servicePrincipal object, and you can use that when creating the app role assignment.

5
Carl Zhao On

The document description is not very clear.

In simple terms:

principalId: Usually your service principal id.

resourceId: Usually your service principal id.

appRoleId: For appRoleId you can find it by requesting GET https://graph.microsoft.com/v1.0/servicePrincipals/{id}. enter image description here

Grant an appRoleAssignment for a service principal: enter image description here

Related Questions in AZURE-ACTIVE-DIRECTORY

Related Questions in MICROSOFT-GRAPH-API

Related Questions in AZURE-SERVICE-PRINCIPAL

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions