Azure-docs: Executing the New-AzureAdServiceAppRoleAssignment step returns a Forbidden error

Created on 17 Jan 2019 · 12Comments · Source: MicrosoftDocs/azure-docs

When I follow the instructions in the section Grant your VM access to the Azure AD Graph API, I get the following error:

New-AzureAdServiceAppRoleAssignment : Error occurred while executing NewServicePrincipalAppRoleAssignment
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentitiesServi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADServiceAppRoleAssignment], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewServ
   icePrincipalAppRoleAssignment

It appears to grant the access, though, since subsequent requests return the Bad Request response mentioned in the article, and calls to Get-AzureADServiceAppRoleAssignment -ObjectId $GraphServicePrincipal.ObjectId show the permission was assigned.

Is this a known issue? Is there something I should do to avoid getting the Forbidden error?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 49643811-ee04-ae88-8153-aad4cc009b73
Version Independent ID: d1e1f15d-d988-7951-e453-f10ed6bb20bf
Content: Use a Windows VM system-assigned managed identity to access Azure AD Graph API
Content Source: articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-azure-ad-graph.md
Service: active-directory
GitHub Login: @daveba
Microsoft Alias: daveba

active-directorsvc assigned-to-author in-progress product-question triaged

Source

johndowns

Most helpful comment

I'm experiancing the same issue but this happens only if New-AzureAdServiceAppRoleAssignment is executed using a service principal not user principal. I mean when you connect to Azure AD using a Service principal instaed of user principal to apply App role assignment.

janisBerz on 8 Apr 2019

👍3

All 12 comments

@johndowns Thanks for your feedback! We will investigate and update as appropriate.

SaurabhSharma-MSFT on 17 Jan 2019

Turns out I'm being hit by the same. Any updates @SaurabhSharma-MSFT ? :)

kacperryniec on 12 Feb 2019

@kacperryniec I will be updating this thread by EOD today after testing as I have taken this over from Saurabh. Thanks.

shashishailaj on 13 Feb 2019

👍1

@shashishailaj any news? :)

kacperryniec on 13 Feb 2019

@kacperryniec @johndowns My apologies for the delay. I tested it and got the same error. We have escalated this internally to Product engineering team . Looks like there is some issue from the backend due to which we are unable to perform the operation . I tried adding the ownership of the managed Identity service principal to the tenant Admin using the cmdlet Add-AzureADServicePrincipalOwner but I get the following .

PS C:\WINDOWS\system32> $OwnerId = Get-AzureADUser -Filter "Userprincipalname eq 'administrator@.onmicrosoft.com'"
PS C:\WINDOWS\system32> Add-AzureADServicePrincipalOwner -ObjectId $ManagedIdentitiesServicePrincipal.ObjectId -RefObjectId $OwnerId
Add-AzureADServicePrincipalOwner : Error occurred while executing AddServicePrincipalOwner
Code: Request_BadRequest
Message: Open navigation properties are not supported on OpenTypes. Property name: '28'.
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:1 char:1

Add-AzureADServicePrincipalOwner -ObjectId $ManagedIdentitiesServiceP ...
~~~~~~~~~~~~~~~~~
- CategoryInfo : NotSpecified: (:) [Add-AzureADServicePrincipalOwner], ApiException
- FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.AddServicePrincipalOwner

We will have the right people involved for a review of the article content on this. We may need more time on this. I will engage the authors on this as well to have this looked into.

Thank you.

shashishailaj on 14 Feb 2019

@daveba Could you please have a look into this and have the powershell cmdlet below in this section of the article reviewed.

New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentitiesServicePrincipal.ObjectId -Id $AppRole.Id -PrincipalId $ManagedIdentitiesServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId

I have started an internal thread on this and will loop you in.
Thank you.

shashishailaj on 14 Feb 2019

@shashishailaj Please assign this issue to @priyamohanram. She's the content writer for this space now. Also @arluca for visibility.

daveba on 14 Feb 2019

Hi, I see the issue is still assigned to @daveba...
Any chance to get this looked into reasonably soon? I'd love to use the feature in the project we're involved into but since it does not work properly I might have to look for alternative solutions.

kacperryniec on 19 Feb 2019

@arluca @priyamohanram Could one of you please update this thread as to when the article can be updated ?

shashishailaj on 19 Feb 2019

Any update on this?

gmfx on 8 Mar 2019

This is a known issue. It is an intermittent error. You'll may or may not receive the error message, but as @johndowns states, the operation does succeed. I'll add this to the backlog and we'll update the doc accordingly with messaging. #please-close

daveba on 28 Mar 2019

janisBerz on 8 Apr 2019

👍3

Was this page helpful?

0 / 5 - 0 ratings