HTTP request to update Service Principal in Microsoft Entra ID fails for POST calls
I'm trying to write a script to update the permissions for a managed identity using PowerShell and the REST API, but I'm running into a problem and I don't know how to troubleshoot it any further.
My script connects to an App Registration with App ID and Secret, generates a token and I use that token in my "Invoke-RestMethod" command.
Connecting works fine, and I can run GET commands against the endpoints, but trying to update it using a POST gives me an error of "Not a valid reference update".
This is the bit of code:
# Payload in Hashtable
$POSTBody = @{
principalID = "$($MIDData.id)"
resourceID = "$ObjectID"
appRoleId = "$($TEMProle.id)"
}
# check if Hashtable converts to JSON
$POSTBody | convertto-json
$AppRoleAssignment = "https://graph.microsoft.com/beta/servicePrincipals/$ObjectID/appRoleAssignedTo"
Invoke-RestMethod -Uri $AppRoleAssignment -Headers @{Authorization = "Bearer $($TokenAccess)" } -Method POST -Body $($POSTBody | convertto-json) -ContentType "application/json"
I'm confident my variables are correct. I've tried hard-coding them as well, but I get the same result.
Note that, you need to pass Object ID of Microsoft Graph Enterprise Application for resourceID parameter.
In my case, I ran below API call to get the object ID of Microsoft Graph service principal:
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '00000003-0000-0000-c000-000000000000'
Now I ran below PowerShell script to generate token and call API to add User.Read.All permission of Application type to managed identity:
$AppId = "appID"
$ClientSecret = "secret"
$TenantId = "tenantID"
$TokenEndpoint = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
$Body = @{
client_id = $AppId
scope = "https://graph.microsoft.com/.default"
client_secret = $ClientSecret
grant_type = "client_credentials"
}
$TokenResponse = Invoke-RestMethod -Uri $TokenEndpoint -Method Post -Body $Body -ContentType "application/x-www-form-urlencoded"
$AccessToken = $TokenResponse.access_token
$PrincipalId = "fd0e0b8b-53f6-4bcd-a723-xxxxx" # Managed identity Object ID
$ResourceId = "c68a82f4-ecea-4f65-8047-xxxxx" # Microsoft Graph Enterprise App Object ID
$AppRoleId = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All permission App Role ID
$POSTBody = @{
principalId = $PrincipalId
resourceId = $ResourceId
appRoleId = $AppRoleId
}
$POSTBodyJSON = $POSTBody | ConvertTo-Json
$AppRoleAssignment = "https://graph.microsoft.com/beta/servicePrincipals/$ResourceId/appRoleAssignedTo"
try {
$Response = Invoke-RestMethod -Uri $AppRoleAssignment `
-Headers @{Authorization = "Bearer $AccessToken"} `
-Method POST `
-Body $POSTBodyJSON `
-ContentType "application/json"
Write-Host "App Role Assignment Successful:"
Write-Host ($Response | ConvertTo-Json -Depth 10 -Compress)
} catch {
Write-Error "Error assigning App Role: $($_.Exception.Message)"
}
Response:
To confirm that, I checked the same in Azure Portal where User.Read.All permission of Application type added successfully to managed identity like this:
Reference:
Grant an appRoleAssignment for a service principal - Microsoft Graph
- How do I persist logs from a Dockerized .NET Core app in Azure DevOps and save them as artifacts?
- Azure won't show roleDefinition for directory roles
- How do we change the TLS version of Azure IoT Hub which is already created and deployed?
- Microsoft Graph API ADB2C signInActivity update lag
- How does Azure App Service manage port binding with docker container? Does it recognize Expose?
- Has there been a recent change to Invoke-Sqlcmd that break it, and if so what's the fix?
- Is using AddAzureClients and a clientFactory for Azure ServiceBus DI preferred over a singleton implementation?
- Redeploy .NET Aspire project after resource cleanup
- SocketException permission denied when trying to bind port 80 or 443 to Kestrel in Azure Container Instance with .NET 8
- Azure Functions with docker: How change port?
- Azure - How to update the password profile of a user in Azure AD B2C using the Microsoft Graph API?
- Unable to filter the service principals by appOwnerOrganizationId property
- How can I upload an image to Azure from an Azure Function with a BlobTrigger
- How can I see which mechanism granted the user the ability to activate roles via Azure Privileged Identity Management (PIM)
- How to resolve an "Invalid operands found for operator -eq" error in Microsoft Entra ID PowerShell code
- You don’t appear to have an active Azure subscription when creating new Kubernetes service connection in Azure DevOps
- Azure Application Insights JavaScript SDK loader script security
- How to fix 'Unable to Obtain Authentication Token' in Active Directory Authentication to Azure Analysis Server
- Python script to join 2 csv files with an existing excel file in Azure blob storage
- Can one use DPO (direct preference optimization) of GPT via CLI or Python on Azure?
- azure function via terraform: how to connect to service bus
- Azure WebJob is failing after some period of time on Linux plan
- Retry policy on blob leasing
- Azure auth for Outlook Graph API
- Copying storage data from one Azure account to another
- Windows Azure SDK for Node.js SQL Azure Provider
- Pipeline for stored procedure dedicated sql pool
- Webpack @azure/storage-blob node-fetch AbortSignal issue
- What is the Azure equivalent of GCP's Cloud Run?
- How stop execution of a stored procedure if the client closes the connection in SQL Azure database?