Forum Discussion

Yoann's avatar
Yoann
Copper Contributor
Oct 11, 2023

Requirements to assign a GraphAPI role for a custom app in MS Entra?

We are developing a SaaS that is using GraphAPI to manage MS Entra identities (provisioning as well as federation settings).

 

This require us to have a Registered App with Security Administrator role.

 

Our tests so far about the process of granting our App with Security Administrator role are not successful.

 

The documentation talk about using Subscription or Ressource management to assign the Security Administrator role to our app.

 

Except that we do not see this process working outside of an Azure paid subscription.

 

With Microsoft 365 Developer Program, our developer tenant with the 25 E5 licences for testing purpose, we just cannot access the Subscription view.

 

With a normally paid MS 365 tenant, the free subscription for Azure AD does not allow us any role assignment for apps.

 

With a pay-as-you-go Azure subscription (for things like VM and other cloud resources) we can assign the role to the app.

 

So here is my question: what is the correct way to configure a Registered App with:

  • no paid Azure subscription
  • using app authentication and not delegated authentication
  • to get the right to manage domain federation settings

?

2 Replies

  • govindagoud's avatar
    govindagoud
    Brass Contributor
    Oct 11, 2023
    According to the article Assign Microsoft Entra admin roles with Microsoft Graph API, you need the following prerequisites to assign a GraphAPI role for a custom app in MS Entra:

    Microsoft Entra ID P1 or P2 license
    Privileged Role Administrator or Global Administrator
    Admin consent when using Graph Explorer for Microsoft Graph API
    You can use the Create unifiedRoleAssignment API to assign the custom role. The role assignment combines a security principal ID (which can be a user or service principal), a role definition ID, and a Microsoft Entra resource scope. You can find some examples of how to use this API in the article.

    However, if you do not have a paid Azure subscription, you might encounter some limitations or errors when trying to assign the role. As discussed in the Microsoft Community Hub, you might need to use a pay-as-you-go Azure subscription to access the Subscription view and assign the role to the app.

    Alternatively, you can try to create custom roles to manage enterprise apps in Microsoft Entra ID, as explained in this article: Create custom roles to manage enterprise apps in Microsoft Entra ID. This might allow you to assign the role without using a paid Azure subscription.
    • Yoann's avatar
      Yoann
      Copper Contributor
      Oct 13, 2023
      The question is exactly that: why the customers do need a Paid Subscription to assign a role app (which will not be invoiced) when they are supposed to have a Free Subscription for all Entra related access?

      It really look like a bug to me.

Resources