I am trying to grant admin consent in b2c tenant by logging in SPN but the error shows as 404 not found always

$azLoginResult = az login --service-principal --username $clientId --password="$clientSecret" --tenant $tenantId --allow-no-subscriptions
$accesstoken = (az account get-access-token --resource  | convertfrom-json).accesstoken
# Define variables
$clientId = "xxxx" 
$resourceId = "xxx" 
$scope = "Group.ReadWrite.All"    
$principalId = ''

# Define the request body
$body = @{
    principalId = $principalId
    appRoleId = "7427e0e9-2fba-42fe-b0c0-848c9e6a8182"
    resourceId = $resourceId
    scope = $scope
} | ConvertTo-Json -Depth 10

# Define the headers
$headers = @{
    Authorization = "Bearer $accessToken"
    "Content-Type" = "application/json"
}

# Make the POST request
Invoke-RestMethod -Uri ".0/servicePrincipals/$principalId/appRoleAssignedTo" `
                  -Method Post `
                  -Headers $headers `
                  -Body $body

The principle ID I tried to use SPN object ID , this is actually worrying and the error is varying time to time

Do we have any solution to fix this?

I am trying to grant admin consent in b2c tenant by logging in SPN but the error shows as 404 not found always

$azLoginResult = az login --service-principal --username $clientId --password="$clientSecret" --tenant $tenantId --allow-no-subscriptions
$accesstoken = (az account get-access-token --resource https://graph.microsoft | convertfrom-json).accesstoken
# Define variables
$clientId = "xxxx" 
$resourceId = "xxx" 
$scope = "Group.ReadWrite.All"    
$principalId = ''

# Define the request body
$body = @{
    principalId = $principalId
    appRoleId = "7427e0e9-2fba-42fe-b0c0-848c9e6a8182"
    resourceId = $resourceId
    scope = $scope
} | ConvertTo-Json -Depth 10

# Define the headers
$headers = @{
    Authorization = "Bearer $accessToken"
    "Content-Type" = "application/json"
}

# Make the POST request
Invoke-RestMethod -Uri "https://graph.microsoft/v1.0/servicePrincipals/$principalId/appRoleAssignedTo" `
                  -Method Post `
                  -Headers $headers `
                  -Body $body

The principle ID I tried to use SPN object ID , this is actually worrying and the error is varying time to time

Do we have any solution to fix this?

• azure
• microsoft-graph-api
• microsoft-entra-id

• What is the resource ID you are passing? – Rukmini Commented Apr 1 at 3:31
• Any update on the issue? – Rukmini Commented yesterday

1 Answer 1

Note that: The application you are using to login to Azure must be assigned with any one of the roles like Global Administrator, Privileged Role Administrator or Application Administrator role.

I created an Admin app by to which I have assigned Global Admin role:

To grant Admin consent to application type API permission check the below:

Make use of below PowerShell script:

# Log in using service principal
az login --service-principal --username "AdminAppClientID" --password "AdminAppClientSecret" --tenant "TenantID" --allow-no-subscriptions

# Get the access token using Azure CLI
$accesstoken = (az account get-access-token --resource https://graph.microsoft | ConvertFrom-Json).accessToken

# Define the URI for the API request
$uri = "https://graph.microsoft/v1.0/servicePrincipals/PermissionAppSPObjID/appRoleAssignedTo"

# Set up the headers, including the Authorization header with the access token
$headers = @{
    "Authorization" = "Bearer $accesstoken"
    "Content-Type"  = "application/json"
}

# Define the body of the request
$body = @{
    "principalId"  = "PermissionAppSPObjID"
    "resourceId"   = "ResourceIDofGraphApp"
    "appRoleId"    = "62a82d76-70ea-41e2-9197-370581804d09" //Permission ID
} | ConvertTo-Json

# Make the POST request to Microsoft Graph API and store the response
$response = Invoke-RestMethod -Uri $uri -Method Post -Headers $headers -Body $body

# Output the response (optional, you can comment this out if not needed)
$response

Admin consent granted Application permission Group.ReadWrite.All successfully:

To grant admin consent to delegated API permissions, check the below:

# Log in using service principal
az login --service-principal --username "AdminAppClientID" --password "AdminAppClientSecret" --tenant "TenantID" --allow-no-subscriptions

# Get the access token using Azure CLI for Microsoft Graph
$accesstoken = (az account get-access-token --resource https://graph.microsoft | ConvertFrom-Json).accessToken

# Define the URI for the API request
$uri = "https://graph.microsoft/v1.0/oauth2PermissionGrants"

# Set up the headers, including the Authorization header with the access token
$headers = @{
    "Authorization" = "Bearer $accesstoken"
    "Content-Type"  = "application/json"
}

# Define the body of the request
$body = @{
    "clientId"     = "PermissionAppSPObjID"
    "consentType"  = "AllPrincipals"
    "resourceId"   = "ResourceIDofGraphApp"
    "scope"        = "offline_access"
} | ConvertTo-Json

# Make the POST request to Microsoft Graph API and store the response
$response = Invoke-RestMethod -Uri $uri -Method Post -Headers $headers -Body $body

# Output the response (optional)
$response

Admin consent granted successfully for delegated API permission:

Make sure you are passing values correctly in the request:

Principal ID/PermissionAppSPObjID is the Service principal object ID of Permission app:

resourceId is the resource ID of Microsoft Graph API:

https://graph.microsoft/v1.0/servicePrincipals?$filter=displayName eq 'Microsoft Graph'&$select=id,displayName,appId,appRoles

appRoleId is the permission guid of the API permission, you can search the api permission in the response of https://graph.microsoft/v1.0/servicePrincipals?$filter=displayName eq 'Microsoft Graph'&$select=id,displayName,appId,appRoles

Reference:

Can a service principal or azure app admin consent an external multi tenant app registration? - Stack Overflow by me