Missing Microsoft Graph ServicePrincipal

5
votes

TL;TR We are creating an AAD application using the Microsoft Graph API. The application has some requiredResourceAccess entries where one requires access to microsoft graph. After we create the application we want to assign the roles to the service principal using the appRoleAssignments object. The object requires the resourceId which is the objectId (e. g. of microsoft graph) that I try to determine.

We are using the Graph API itself to get the service principals using: https://graph.windows.net/<tenant>/servicePrincipals?api-version=1.6 but somehow Microsoft Graph is missing:

Windows Azure Active Directory      
Microsoft App Access Panel          
Azure Classic Portal                
Microsoft.SMIT                      
Office 365 Configure                
Windows Azure Service Management API
Microsoft.SupportTicketSubmission   
Azure ESTS Service                  
Signup                              
Microsoft password reset service

I need to determine the ObjectId of the Microsoft Graph Service Principal. Starting with a fresh AAD, it seems like there is no Microsoft Graph Principal:

Get-MsolServicePrincipal -AppPrincipalId 00000003-0000-0000-c000-000000000000

Output

Get-MsolServicePrincipal : Service principal was not found.

How to determine the ObjectId of Microsoft Graph (preferable using the graph.windows.net API)?

Edit 1:

As suggested by Fei Xue, creating the Service Principal via Rest using:

POST: https://graph.windows.net/{tenantId}/servicePrincipals?api-version=1.6

Authorization: Bearer {access_token}

{
  "appId": "00000003-0000-0000-c000-000000000000",
  "accountEnabled": true
}

Gives me a 400 (Bad Request) Error code:

enter image description here

2
powershellazureazure-active-directoryazure-ad-graph-api

2 Answers

5
votes

I need to determine the ObjectId of the Microsoft Graph Service Principal. Starting with a fresh AAD, it seems like there is no Microsoft Graph Principal:

The service principal of multi-tenant app(Microsoft Graph) which register on other tenant will be created after the user grant the consent to the app. This is the reason why you are not able to find it in a fresh tenant.

To get the object id of Microsoft Graph, you need to register an and grant the permission of Microsoft Graph to it like figure below:

enter image description here

After that the Get-MsolServicePrincipal command should works for you(Note: you may need to wait a few seconds after you grant the permission).

More detail about the service principal, you can refer this document.

Update

POST: https://graph.windows.net/{tenantId}/servicePrincipals?api-version=1.6

Authorization: Bearer {access_token}

{
  "appId": "00000003-0000-0000-c000-000000000000",
  "accountEnabled": true
}

Update2

The above REST using the app(1950a258-227b-4e31-a9cf-717495945fc2) which register on Microsoft tenant to acquire the token. To create the service principal for the Microsoft Graph pragmatically, we can call the New-AzureRMADServicePrincipal command.

Here is a C# code sample works well for me:

try
{
    var userName = "";
    var password = "";
    var securePassword = new SecureString();
    foreach (char c in password)
    {
        securePassword.AppendChar(c);
    }

    // Create Initial Session State for runspace.
    InitialSessionState initialSession = InitialSessionState.CreateDefault();
    // Create credential object.
    PSCredential credential = new PSCredential(userName, securePassword);
    // Create command to Log in to Azure.
    Command connectCommand = new Command("Login-AzureRmAccount");
    connectCommand.Parameters.Add((new CommandParameter("Credential", credential)));
    // Create command to create service principal.
    Command createSP = new Command("New-AzureRMADServicePrincipal");
    createSP.Parameters.Add(new CommandParameter("ApplicationId", "00000003-0000-0000-c000-000000000000"));
    using (Runspace psRunSpace = RunspaceFactory.CreateRunspace(initialSession))
    {
        // Open runspace.
        psRunSpace.Open();

        //Iterate through each command and executes it.
        foreach (var com in new Command[] { connectCommand, createSP})
        {
            var pipe = psRunSpace.CreatePipeline();
            pipe.Commands.Add(com);
            pipe.Invoke();

        }
        // Close the runspace.
        psRunSpace.Close();
    }
}
catch (Exception)
{
    throw;
}
0
votes
Get-MsolServicePrincipal -All | ? {$_.Displayname -match 'graph'} | ft ObjectID,AppprincipalID,DisplayName -AutoSize