Microsoft-graph-docs: Missing explanation on creating appRoleAssignments

The documentation does exist; it's just not in the tree for some reason, maybe because it's technically "under" the servicePrincipal resource (although doesn't show up in the tree there either.)

https://docs.microsoft.com/en-us/graph/api/serviceprincipal-post-approleassignments?view=graph-rest-beta

I'm unsure if this also works for /users/{id}/appRoleAssignments , etc.

This seems to be missing in the https://github.com/microsoftgraph/msgraph-beta-sdk-dotnet

@MIchaelMainer are you aware of this?

Taking a look now.

@jthake-msft We need loop in the owner of serviceprincipals/appRoleAssignment to clarify.

Either the documentation or the metadata is incorrect. The documentation implies that the appRoleAssignment is in the servicePrincipals entityset. The metadata shows that the appRoleAssignment is defined in the appRoleAssignment entityset.

POST /servicePrincipals/{id}/appRoleAssignments with a payload returns a "BadRequest Write requests are only supported on contained entities"

POST /servicePrincipals/{id}/appRoleAssignments/$ref with the same payload returns a "Invalid object identifier 'id'."

The documentation is most likely wrong. It should be posting a reference. The title should be Create appRoleAssignment reference.

The request should be POST /servicePrincipals/{id}/appRoleAssignments/$ref.
The body should be like {"@odata.id":"https://graph.microsoft.com/beta/appRoleAssignments/2175a16a-e5e5-4c93-812c-4b1f2a48afba"}

There should be a link to the topic that shows how to create an appRoleAssignment. It doesn't appear to exist. https://docs.microsoft.com/en-us/graph/api/resources/approleassignment?view=graph-rest-beta. Only get, update, delete. We can't query appRoleAssignments at GET /appRoleAssignments as that entity set is not queryable (per response).

I tried this:

POST /appRoleAssignments
{
  "creationTimestamp": "2016-10-19T10:37:00Z",
  "principalDisplayName": "principalDisplayName-value",
  "principalId": "66950038-9db6-44e4-aa49-e25f7f1133f9",
  "principalType": "principalType-value",
  "resourceDisplayName": "resourceDisplayName-value"
}

This API seems to exist, I just don't what information needs to be set.

Metadata

<EntitySet Name="appRoleAssignments" EntityType="microsoft.graph.appRoleAssignment" />
<EntitySet Name="servicePrincipals" EntityType="microsoft.graph.servicePrincipal">
  <NavigationPropertyBinding Path="appRoleAssignments" Target="directoryObjects" />
</EntitySet>

<EntityType Name="servicePrincipal" BaseType="microsoft.graph.directoryObject" OpenType="true">
  <NavigationProperty Name="appRoleAssignments" Type="Collection(microsoft.graph.appRoleAssignment)" />
</EntityType>

Hi
Any API is there to assign an User to a application and removing user from an application? Because using the above mentioned API we cant able to assign it

@MIchaelMainer Did you manage to get any further than your last comment? I am trying to create an app role assignment but facing the same "Direct queries to this resource type are not supported" error you reference. Thanks.

I was told to put it on Stack Overflow by Microsoft. So I suggest upvoting the issue there - https://stackoverflow.com/questions/56786453/how-to-create-an-approleassignment-via-microsoft-graph for it to get some attention.

Thanks @hajekj, will do.

Using the Microsoft-Graph.Beta (0.7.0-preview).

{
    var appRoleAssignment = new AppRoleAssignment
    {
        ResourceId = Guid.Parse(applicationId),
        PrincipalId = Guid.Parse(userId),
    };

    await serviceClient.AppRoleAssignments.Request().AddAsync(appRoleAssignment);
} catch(AggregateException)
{

}

With applicationId being the ObjectId of the Application (not the ApplicationId). Somehow always gives an AggregateException, but it gets processed nonetheless.
Hope it helps :)

I believe the above mentioned code is for Java-Script , any code is there for Java-SDK or Rest Api

To assign a user to an application, you want to POST to the appRoleAssignedTo navigation on the app's servicePrincipal object. This is described here: https://docs.microsoft.com/en-us/graph/api/serviceprincipal-post-approleassignedto?view=graph-rest-1.0

POST https://graph.microsoft.com/v1.0/servicePrincipals/{sp-id}/appRoleAssignedTo

{
  "principalId": "{user-id}",
  "resourceId": "{sp-id}",
  "appRoleId": "{app-role-id}"
}

If the app has defined app roles which can be granted to users (see the appRoles property on the app's servicePrincipal entity), then {app-role-id} is the id of the app role you wish to grant to the user. If the app role has not defined any app roles which can be granted to users, you can use 00000000-0000-0000-0000-000000000000 as appRoleId, to signal that the user is assigned to the app (but not to any specific app role).