Search code examples
azurepowershellsharepointpermissionsmicrosoft-graph-sdks

"Role assignment is not supported" when assigning a Service Principal to SharePoint Administrator role on Microsoft Graph

I want to assign my App (Service) Principal to the SharePoint Administrator role, in Microsoft Entra ID, because my application writes temporary (meta)data on the SharePoint side, as shown here,

web.AllProperties["name"] = "value";
web.Update();
ctx.ExecuteQuery();

I am using the following PowerShell snippet, which is throwing the Role assignment is not supported error,

Install-Module Microsoft.Graph.Authentication, Microsoft.Graph.Applications, Microsoft.Graph.Identity.SignIns, Microsoft.Graph.Identity.Governance -Force

Connect-MgGraph -Scopes @(
 "AppRoleAssignment.ReadWrite.All"
 "Application.ReadWrite.All"
 "Directory.ReadWrite.All")

$appId = "my-app-id-comes-here"

$servicePrincipal = Get-MgServicePrincipal -Filter "appId eq '$appId'"

New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -Action "SelfActivate" -Justification "For writing metadata to SharePoint tenant settings" -DirectoryScopeId "/" -PrincipalId $servicePrincipal.Id -RoleDefinitionId "f28a1f50-f6e7-4571-818b-6a12f2af6b6c" -ScheduleInfo @{
 "StartDateTime" = [System.DateTime]::Now.AddSeconds(10)
 "Expiration" = @{
 "Type" = "NoExpiration"
 }
}

I also tried the Object ID of the App (Service) Principal instead of $servicePrincipal.Id, and the error message changes to The subject is not found.

Solution

  • Role assignment is not supported" when assigning a Service Principal to SharePoint Administrator role on Microsoft Graph

    When I try to assign the SharePoint Administrator role to a Service Principal, I encountered the same error as below.

    Alternatively, you can assign the SharePoint Administrator role to a Service Principal using the PowerShell script below.

    enter image description here

        Connect-MgGraph -Scopes @(
     "AppRoleAssignment.ReadWrite.All""Application.ReadWrite.All""Directory.ReadWrite.All")
    $appId="bf7e17bd-xxxxxxxxxxxxxxxxxx"
    $servicePrincipal = Get-MgServicePrincipal -Filter "appId eq '$appId'"
    
    $roledefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq 'SharePoint Administrator'"
    
    $roleassignment = New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId $roledefinition.Id -PrincipalId $servicePrincipal.Id

    Output:

    enter image description here

    After running the script, the SharePoint Administrator role has been assigned to Service principal successfully.

    enter image description here