0
votes

I'm using the Graph API beta endpoint to try and delete an AppRoleAssigmnet:

https://graph.microsoft.com/beta/appRoleAssignments/I9pzftcx_06aCwX8sV9cmziqx-oiF21IlkxV9xRYvBM

I am using the DELETE verb and below is the response I get back:

109
{
  "error": {
    "code": "Request_UnsupportedQuery",
    "message": "Direct queries to this resource type are not supported.",
    "innerError": {
      "request-id": "aa7c14a3-f700-4368-898e-009f1608ade1",
      "date": "2019-04-30T00:29:50"
    }
  }
}
0

According to the beta documentation, this is allowed:

https://docs.microsoft.com/en-us/graph/api/approleassignment-delete?view=graph-rest-beta

I also verified the correct permissions according to the documentation as well.

I know this is a beta endpoint but any chance this will be fixed soon or do I need to use the Azure AD API instead?

UPDATE

I tried going through the users collection and it also fails:

https://graph.microsoft.com/beta/users/7e73da23-31d7-4eff-9a0b-05fcb15f5c9b/appRoleAssignments/I9pzftcx_06aCwX8sV9cmziqx-oiF21IlkxV9xRYvBM

I am using the DELETE verb and below is the response I get back:

fb
{
  "error": {
    "code": "BadRequest",
    "message": "Write requests are only supported on contained entities",
    "innerError": {
      "request-id": "b6db0eee-dc45-4e10-a56c-9a870fb7315c",
      "date": "2019-04-30T23:49:24"
    }
  }
}
0

I tried going through the service principal collection and it also fails:

https://graph.microsoft.com/beta/servicePrincipals/27e0a182-2008-4b4e-b998-731e0d111041/appRoleAssignments/I9pzftcx_06aCwX8sV9cmziqx-oiF21IlkxV9xRYvBM

I am using the DELETE verb and below is the response I get back:

18b
{
  "error": {
    "code": "BadRequest",
    "message": "The type 'microsoft.graph.appRoleAssignment' does not inherit from and is not a base type of 'microsoft.graph.directoryObject'. The type of 'KeySegments' must be related to the Type of the EntitySet.",
    "innerError": {
      "request-id": "8c981e82-755e-4c25-b448-58d2b71e12c7",
      "date": "2019-04-30T23:46:20"
    }
  }
}
0
1

1 Answers

1
votes

I'm afraid this service bug has existed for a very long time. The only thing I can say is to try this with AAD Graph until this is fixed in Microsoft Graph. The schema unfortunately models appRoleAssignments as a standard relationship, whereas in fact it is implemented as a contained entity (i.e. you can only operate on the app role assignment when it is contained as part of another entity - like users, groups or servicePrincipals). The schema definition needs to be updated. The documentation is accurate IMHO.

Hope this helps