Assign AD Group to Azure AD Application Role using Graph API

Question

I have no problem adding a user to a role using

https://graph.windows.net/{TenantId}/users/{UserId}/appRoleAssignments?api-version=1.5

string data = JsonConvert.SerializeObject(new
{
  id = roleId,
  principalDisplayName = userEmail,
  principalId = userId,
  principalType = "User",
  resourceId = servicePrincipalId
});

But this is not working for groups by changing:

https://graph.windows.net/{TenantId}/groups/{GroupId}/appRoleAssignments?api-version=1.5

principalDisplayName = GroupDisplayName,
principalId = groupId,
principalType = "Group"

Also tried without the principalDisplayName

I am receiving "Bad Request" and in Fiddler "One or more properties are invalid." with no extra information.

Do you have group-based role assignment available in the tenant? — juunas

Shawn Teng Shawn Teng · Accepted Answer · 2018-11-30T03:19:19

Can you login to azure portal with your tenant credential and check if you can assign AAD group to role? It's most likely related to your permission

Azure Active Directory -> Enterprise applications -> Find your application -> Users and Groups -> Add User

Assign AD Group to Azure AD Application Role using Graph API

1 Answers