azure powershell azure-active-directory microsoft-graph-api

Why New-MgServicePrincipalAppRoleAssignment has two very similar parameters ServicePrincipalId and PrincipalId?

I am investigating Microsoft Graph powershell module and encountered New-MgServicePrincipalAppRoleAssignment method. There are two very similar parameters ServicePrincipalId and PrincipalId. All examples that i found use the same value for both parameters. I can not figure out when these params will have different values, maybe someone could help with it?

Solution

Note that: The ServicePrincipalId is the object Id of the Service Principal and the PrincipalId can be the ID of the user, security group, or service principal that is been granted the role.

The ServicePrincipalId and the PrincipalId is same when you are trying to grant permission to the Service principal like below:

Connect-MgGraph 

$params = @{
principalId = "ServicePrincipalObjectID"
resourceId = "MicrosoftGraphObjectID"
appRoleId = "5b567255-7703-4780-807c-7be8301ae99b"
}

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId ServicePrincipalObjectID -BodyParameter $params

Here the PrincipalType is Service Principal

enter image description here

This script granted Group.Read.All API permission to the Service Principal:

enter image description here

The ServicePrincipalId and the PrincipalId differs when you are granting the app role to the user/group.

Connect-MgGraph 

$params = @{
principalId = "UserObjectID"
resourceId = "ResourceID"
appRoleId = "AppRoleID"
}

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId ServicePrincipalObjectID -BodyParameter $params

Here PrincipalType the is User:

enter image description here

The App role granted to the user:

enter image description here

Reference:

New-MgServicePrincipalAppRoleAssignment (Microsoft.Graph.Applications) | Microsoft