Create a new role assignment for an enterprise application using Graph beta version

1
votes

I am trying to create role assignments for an enterprise application using Graph api beta version .

I am following Microsoft document to do the same

https://docs.microsoft.com/en-us/graph/api/serviceprincipal-post-approleassignments?view=graph-rest-beta&tabs=http

Error:

This is the error I am getting while checking :

Write requests are only supported on contained entities

I tried the same using the Azure AD Graph also(graph.windows.net) and I am able to achieve the following.

{
  "error": {
    "code": "BadRequest",
    "message": "Write requests are only supported on contained entities",
    "innerError": {
      "request-id": "f8b80735-c516-4a65-9f42-2b3088f2951a",
      "date": "2019-07-30T09:23:13"
    }
  }
}
1
azureazure-active-directoryazure-ad-graph-api
Could you provide your request sample? - Joy Wang-MSFT
POST: graph.microsoft.com/beta/servicePrincipals{id}/appRoleAssignments - treasa
Actually I want to know your request body. - Joy Wang-MSFT
JSON body: { "creationTimestamp": "2019-05-24T06:55:12.0912852Z", "id": "00000000-0000-0000-0000-000000000000", "principalDisplayName": "", "principalId": "", "principalType": "", "resourceDisplayName": "", "resourceId": "" } - treasa

1 Answers

0
votes

I can reproduce your issue via Microsoft Graph API, not sure what causes the issue. Also, it is a Beta version, I don't recommend you to use it in your production environment.

The Azure AD Graph API works for me, you could refer to the request sample as below.

Note: The id is the role id which was declared by the target resource application resourceId in its appRoles property. My sample application does not declare any permissions, so I specify a default id (zero GUID 00000000-0000-0000-0000-000000000000).

POST https://graph.windows.net/myorganization/servicePrincipals/<objetc id of the service principal>/appRoleAssignments?api-version=1.6 

{
    "id":"00000000-0000-0000-0000-000000000000",
    "principalId":"<object id of the user/group/service principal being granted the access>",
    "resourceId":"<objetc id of the service principal which the assignment was made>"

}

enter image description here