Executing the New-AzureAdServiceAppRoleAssignment step returns a Forbidden error

[johndowns]

When I follow the instructions in the section Grant your VM access to the Azure AD Graph API, I get the following error:

New-AzureAdServiceAppRoleAssignment : Error occurred while executing NewServicePrincipalAppRoleAssignment
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentitiesServi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADServiceAppRoleAssignment], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewServ
   icePrincipalAppRoleAssignment

It appears to grant the access, though, since subsequent requests return the Bad Request response mentioned in the article, and calls to Get-AzureADServiceAppRoleAssignment -ObjectId $GraphServicePrincipal.ObjectId show the permission was assigned.

Is this a known issue? Is there something I should do to avoid getting the Forbidden error?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 49643811-ee04-ae88-8153-aad4cc009b73
• Version Independent ID: d1e1f15d-d988-7951-e453-f10ed6bb20bf
• Content: Use a Windows VM system-assigned managed identity to access Azure AD Graph API
• Content Source: articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-azure-ad-graph.md
• Service: active-directory
• GitHub Login: @daveba
• Microsoft Alias: daveba

[SaurabhSharma-MSFT]

@johndowns Thanks for your feedback! We will investigate and update as appropriate.

[kacperryniec]

Turns out I'm being hit by the same. Any updates @SaurabhSharma-MSFT ? :)

[shashishailaj]

@kacperryniec I will be updating this thread by EOD today after testing as I have taken this over from Saurabh. Thanks.

[kacperryniec]

@shashishailaj any news? :)

[shashishailaj]

@kacperryniec @johndowns My apologies for the delay. I tested it and got the same error. We have escalated this internally to Product engineering team . Looks like there is some issue from the backend due to which we are unable to perform the operation . I tried adding the ownership of the managed Identity service principal to the tenant Admin using the cmdlet Add-AzureADServicePrincipalOwner but I get the following .

PS C:\WINDOWS\system32> $OwnerId = Get-AzureADUser -Filter "Userprincipalname eq 'administrator@.onmicrosoft.com'"
PS C:\WINDOWS\system32> Add-AzureADServicePrincipalOwner -ObjectId $ManagedIdentitiesServicePrincipal.ObjectId -RefObjectId $OwnerId
Add-AzureADServicePrincipalOwner : Error occurred while executing AddServicePrincipalOwner
Code: Request_BadRequest
Message: Open navigation properties are not supported on OpenTypes. Property name: '28'.
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:1 char:1

• Add-AzureADServicePrincipalOwner -ObjectId $ManagedIdentitiesServiceP ...

•   + CategoryInfo          : NotSpecified: (:) [Add-AzureADServicePrincipalOwner], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.AddServicePrincipalOwner
  
  

We will have the right people involved for a review of the article content on this. We may need more time on this. I will engage the authors on this as well to have this looked into.

Thank you.

[shashishailaj]

@daveba Could you please have a look into this and have the powershell cmdlet below in this section of the article reviewed.

New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentitiesServicePrincipal.ObjectId -Id $AppRole.Id -PrincipalId $ManagedIdentitiesServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId

I have started an internal thread on this and will loop you in.
Thank you.

[daveba]

@shashishailaj Please assign this issue to @priyamohanram. She's the content writer for this space now. Also @arluca for visibility.

[kacperryniec]

Hi, I see the issue is still assigned to @daveba...
Any chance to get this looked into reasonably soon? I'd love to use the feature in the project we're involved into but since it does not work properly I might have to look for alternative solutions.

[shashishailaj]

@arluca @priyamohanram Could one of you please update this thread as to when the article can be updated ?

[gmfx]

Any update on this?

[daveba]

This is a known issue. It is an intermittent error. You'll may or may not receive the error message, but as @johndowns states, the operation does succeed. I'll add this to the backlog and we'll update the doc accordingly with messaging. #please-close

[janisBerz]

I'm experiancing the same issue but this happens only if New-AzureAdServiceAppRoleAssignment is executed using a service principal not user principal. I mean when you connect to Azure AD using a Service principal instaed of user principal to apply App role assignment.