Menu
TL;TR We are creating an AAD application using the Microsoft Graph API. The application has some requiredResourceAccess entries where one requires access to microsoft graph. After we create the application we want to assign the roles to the service principal using the appRoleAssignments object. The object requires the resourceId which is the objectId (e. g. of microsoft graph) that I try to determine.
We are using the Graph API itself to get the service principals using: https://graph.windows.net/<tenant>/servicePrincipals?api-version=1.6 but somehow Microsoft Graph is missing:
Windows Azure Active Directory
Microsoft App Access Panel
Azure Classic Portal
Microsoft.SMIT
Office 365 Configure
Windows Azure Service Management API
Microsoft.SupportTicketSubmission
Azure ESTS Service
Signup
Microsoft password reset service
I need to determine the ObjectId of the Microsoft Graph Service Principal. Starting with a fresh AAD, it seems like there is no Microsoft Graph Principal:
Get-MsolServicePrincipal -AppPrincipalId 00000003-0000-0000-c000-000000000000
Output
Get-MsolServicePrincipal : Service principal was not found.
How to determine the ObjectId of Microsoft Graph (preferable using the graph.windows.net API)?
Edit 1:
As suggested by Fei Xue, creating the Service Principal via Rest using:
POST: https://graph.windows.net/{tenantId}/servicePrincipals?api-version=1.6
Authorization: Bearer {access_token}
{
"appId": "00000003-0000-0000-c000-000000000000",
"accountEnabled": true
}
Gives me a 400 (Bad Request) Error code:
882
You can access Graph Explorer at: https://developer.microsoft.com/graph/graph-explorer. You can either access demo data without signing in, or you can sign in to a tenant of your own. Use the following steps to build the request: Select the HTTP method.
Microsoft Graph is also more secure and resilient than Azure AD Graph. For this reason, Azure AD Graph has been on a deprecation path since June 30, 2020, and will be retired in the near future as we move all investments to Microsoft Graph.
I need to determine the ObjectId of the Microsoft Graph Service Principal. Starting with a fresh AAD, it seems like there is no Microsoft Graph Principal:
The service principal of multi-tenant app(Microsoft Graph) which register on other tenant will be created after the user grant the consent to the app. This is the reason why you are not able to find it in a fresh tenant.
To get the object id of Microsoft Graph, you need to register an and grant the permission of Microsoft Graph to it like figure below:
After that the Get-MsolServicePrincipal command should works for you(Note: you may need to wait a few seconds after you grant the permission).
More detail about the service principal, you can refer this document.
POST: https://graph.windows.net/{tenantId}/servicePrincipals?api-version=1.6
Authorization: Bearer {access_token}
{
"appId": "00000003-0000-0000-c000-000000000000",
"accountEnabled": true
}
The above REST using the app(1950a258-227b-4e31-a9cf-717495945fc2) which register on Microsoft tenant to acquire the token. To create the service principal for the Microsoft Graph pragmatically, we can call the New-AzureRMADServicePrincipal command.
Here is a C# code sample works well for me:
try
{
var userName = "";
var password = "";
var securePassword = new SecureString();
foreach (char c in password)
{
securePassword.AppendChar(c);
}
// Create Initial Session State for runspace.
InitialSessionState initialSession = InitialSessionState.CreateDefault();
// Create credential object.
PSCredential credential = new PSCredential(userName, securePassword);
// Create command to Log in to Azure.
Command connectCommand = new Command("Login-AzureRmAccount");
connectCommand.Parameters.Add((new CommandParameter("Credential", credential)));
// Create command to create service principal.
Command createSP = new Command("New-AzureRMADServicePrincipal");
createSP.Parameters.Add(new CommandParameter("ApplicationId", "00000003-0000-0000-c000-000000000000"));
using (Runspace psRunSpace = RunspaceFactory.CreateRunspace(initialSession))
{
// Open runspace.
psRunSpace.Open();
//Iterate through each command and executes it.
foreach (var com in new Command[] { connectCommand, createSP})
{
var pipe = psRunSpace.CreatePipeline();
pipe.Commands.Add(com);
pipe.Invoke();
}
// Close the runspace.
psRunSpace.Close();
}
}
catch (Exception)
{
throw;
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
