HTTP request to update Service Principal Entra
I'm trying to write a script to update the permissions for a managed identity using Powershell and the REST API, but I'm running into a problem and I don't know how to troubleshoot it any further.
My script connects to an App Registration with App ID and Secret, generates a token and I use that token in my "Invoke-RestMethod" command.
Connecting works fine, and I can run GET commands against the endpoints, but trying to update it using a POST gives me an error of "Not a valid reference update".
This is the 'bit of code:
# Payload in Hashtable
$POSTBody = @{
principalID = "$($MIDData.id)"
resourceID = "$ObjectID"
appRoleId = "$($TEMProle.id)"
}
# check if Hashtable converts to JSON
$POSTBody | convertto-json
$AppRoleAssignment = "https://graph.microsoft.com/beta/servicePrincipals/$ObjectID/appRoleAssignedTo"
Invoke-RestMethod -Uri $AppRoleAssignment -Headers @{Authorization = "Bearer $($TokenAccess)" } -Method POST -Body $($POSTBody | convertto-json) -ContentType "application/json"
I'm confident my variables are correct. I've tried hard-coding them as well, but I get the same result.
Any wisdom or guidance would be most appreciated.
Note that, you need to pass Object ID of Microsoft Graph Enterprise Application for resourceID parameter.
In my case, I ran below API call to get the object ID of Microsoft Graph service principal:
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '00000003-0000-0000-c000-000000000000'
Now I ran below PowerShell script to generate token and call API to add User.Read.All permission of Application type to managed identity:
$AppId = "appID"
$ClientSecret = "secret"
$TenantId = "tenantID"
$TokenEndpoint = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
$Body = @{
client_id = $AppId
scope = "https://graph.microsoft.com/.default"
client_secret = $ClientSecret
grant_type = "client_credentials"
}
$TokenResponse = Invoke-RestMethod -Uri $TokenEndpoint -Method Post -Body $Body -ContentType "application/x-www-form-urlencoded"
$AccessToken = $TokenResponse.access_token
$PrincipalId = "fd0e0b8b-53f6-4bcd-a723-xxxxx" # Managed identity Object ID
$ResourceId = "c68a82f4-ecea-4f65-8047-xxxxx" # Microsoft Graph Enterprise App Object ID
$AppRoleId = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All permission App Role ID
$POSTBody = @{
principalId = $PrincipalId
resourceId = $ResourceId
appRoleId = $AppRoleId
}
$POSTBodyJSON = $POSTBody | ConvertTo-Json
$AppRoleAssignment = "https://graph.microsoft.com/beta/servicePrincipals/$ResourceId/appRoleAssignedTo"
try {
$Response = Invoke-RestMethod -Uri $AppRoleAssignment `
-Headers @{Authorization = "Bearer $AccessToken"} `
-Method POST `
-Body $POSTBodyJSON `
-ContentType "application/json"
Write-Host "App Role Assignment Successful:"
Write-Host ($Response | ConvertTo-Json -Depth 10 -Compress)
} catch {
Write-Error "Error assigning App Role: $($_.Exception.Message)"
}
Response:
To confirm that, I checked the same in Azure Portal where User.Read.All permission of Application type added successfully to managed identity like this:
Reference:
Grant an appRoleAssignment for a service principal - Microsoft Graph
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?