ODataError when trying to add an new app role using MS Graph in .net

Question

So I am attempting to add a new App Role to my Azure Active Directory App.

Please note that in my Azure's API Permissions, I added Add Read/Write permissions under: User, Files, Role Management and Application

My code is:

using Azure.Identity;
using Microsoft.Graph;
using Microsoft.Graph.Models;

public async Task<string> TestAsync()
{
    var scopes = new[] { "https://graph.microsoft.com/.default" };
    string clientId = "....";
    string tenantId = "....";
    string clientSecret = "...."; //Value and not Id
    string objectId = "....";

    var options = new TokenCredentialOptions
    {
        AuthorityHost = AzureAuthorityHosts.AzurePublicCloud
    };
    
    var clientSecretCredential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);
    var graphClient = new GraphServiceClient(clientSecretCredential, scopes);

    var requestBody = new Application
    {
        AppRoles = new List<AppRole>
        {
            new AppRole
            {
                AllowedMemberTypes = new List<string>
                {
                    "User",
                    "Application",
                },
                Description = "TestRole1",
                DisplayName = "TestRole1",
                Id = Guid.NewGuid(),
                IsEnabled = true,
                Origin = "Application",
                Value = "test.write",
            }
        }
    };

    var result = await graphClient.Applications[objectId].PatchAsync(requestBody);

    return "role added!";
}

But the code throws this exception and the inner exception in null "Exception of type 'Microsoft.Graph.Models.ODataErrors.ODataError' was thrown".

What am I mising?

Answer 1

Initially when I tried the same code, I got the same error as below:

To find the details of the Microsoft.Graph.Models.ODataErrors.ODataError modify the code by using try and catch to capture the error like below:

    var scopes = new[] { "https://graph.microsoft.com/.default" };
    var clientId = "ClientID";
    var tenantId = "TenantID";
    var clientSecret = "ClientSecret"; 
    var objectId = "ObjectID";

    var options = new TokenCredentialOptions
    {
        AuthorityHost = AzureAuthorityHosts.AzurePublicCloud
    };

    var clientSecretCredential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);
    var graphClient = new GraphServiceClient(clientSecretCredential, scopes);

    var requestBody = new Application
    {
        AppRoles = new List<AppRole>
        {
            new AppRole
            {
                AllowedMemberTypes = new List<string>
                {
                    "User",
                    "Application",
                },
                Description = "TestRole1",
                DisplayName = "TestRole1",
                Id = Guid.NewGuid(),
                IsEnabled = true,
                Origin = "Application",
                Value = "test.write",
            }
        }
    };
try
{
    var result = await graphClient.Applications[objectId].PatchAsync(requestBody);
}
catch (ODataError odataError)
{
    Console.WriteLine(odataError.Error?.Code);
    Console.WriteLine(odataError.Error?.Message);
    throw;
}

Console.WriteLine("role added");

Now, I got the error details:

Note that: To create the app role, you must grant Application.ReadWrite.All Application API permission to the Azure AD application.

To resolve the error, in my case I granted API permissions:

I am able to create app role successfully:

In Azure Portal:

The error might occur if you are passing invalid client id, object id or no sufficient permission to perform the action.