Forum Discussion
Requirements to assign a GraphAPI role for a custom app in MS Entra?
We are developing a SaaS that is using GraphAPI to manage MS Entra identities (provisioning as well as federation settings). This require us to have a Registered App with Security Administrator r...
According to the article Assign Microsoft Entra admin roles with Microsoft Graph API, you need the following prerequisites to assign a GraphAPI role for a custom app in MS Entra:
Microsoft Entra ID P1 or P2 license
Privileged Role Administrator or Global Administrator
Admin consent when using Graph Explorer for Microsoft Graph API
You can use the Create unifiedRoleAssignment API to assign the custom role. The role assignment combines a security principal ID (which can be a user or service principal), a role definition ID, and a Microsoft Entra resource scope. You can find some examples of how to use this API in the article.
However, if you do not have a paid Azure subscription, you might encounter some limitations or errors when trying to assign the role. As discussed in the Microsoft Community Hub, you might need to use a pay-as-you-go Azure subscription to access the Subscription view and assign the role to the app.
Alternatively, you can try to create custom roles to manage enterprise apps in Microsoft Entra ID, as explained in this article: Create custom roles to manage enterprise apps in Microsoft Entra ID. This might allow you to assign the role without using a paid Azure subscription.
Microsoft Entra ID P1 or P2 license
Privileged Role Administrator or Global Administrator
Admin consent when using Graph Explorer for Microsoft Graph API
You can use the Create unifiedRoleAssignment API to assign the custom role. The role assignment combines a security principal ID (which can be a user or service principal), a role definition ID, and a Microsoft Entra resource scope. You can find some examples of how to use this API in the article.
However, if you do not have a paid Azure subscription, you might encounter some limitations or errors when trying to assign the role. As discussed in the Microsoft Community Hub, you might need to use a pay-as-you-go Azure subscription to access the Subscription view and assign the role to the app.
Alternatively, you can try to create custom roles to manage enterprise apps in Microsoft Entra ID, as explained in this article: Create custom roles to manage enterprise apps in Microsoft Entra ID. This might allow you to assign the role without using a paid Azure subscription.
The question is exactly that: why the customers do need a Paid Subscription to assign a role app (which will not be invoiced) when they are supposed to have a Free Subscription for all Entra related access?
It really look like a bug to me.
It really look like a bug to me.