CODEWITHSUNDEEP
c#azureactive-directoryazure-active-directory
Tim Liberty
Tim Liberty

Reputation: 2149

Try to adding AppRoleAssignment

I am trying to add an AppRoleAssignment using this code:

   AppRoleAssignment objAppRoleAssignment = new AppRoleAssignment();

            objAppRoleAssignment.Id = Guid.Parse("00000000-0000-0000-0000-000000000000");
            objAppRoleAssignment.ResourceId = Guid.Parse("ServicePrincipalID");
            objAppRoleAssignment.PrincipalType = "User";
            objAppRoleAssignment.PrincipalId = Guid.Parse(user.ObjectId);

            user.AppRoleAssignments.Add(objAppRoleAssignment);

            await user.UpdateAsync();

I don't have any roles so I am specifying the default 00000000-0000-0000-0000-000000000000 role

but I get this error:

{"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"One or more properties are invalid."},"values":null}}

Upvotes: 1

Views: 808

Answers (1)

Saca
Saca

Reputation: 10662

The way you are doing it is correct. There seems to be two bugs in place that make it seem like your change isn't being saved.

  1. The very first time you run this (the app role assignment doesn't exist), even though the request actually succeeds and indeed creates the app role assignment, the SDK will error out because the app role assignment in the response has a null id value, which causes it to throw the following exception:

A null value was found for the property named 'id', which has the expected type 'Edm.Guid[Nullable=False]'. The expected type 'Edm.Guid[Nullable=False]' does not allow null values.

  1. If you then retry (once the app role assignment is created), you'll now get the error you've shared which is quite misleading since the problem isn't that you've got bad values but rather that you're trying to create an appRoleAssigment for a Resource + Principal that already has one. You can confirm this is the case by querying (directly or via the https://graphexplorer.cloudapp.net) the following:

https://graph.windows.net/[yourtenant]/servicePrincipals/[ResourceID]/appRoleAssignedTo

or

https://graph.windows.net/[yourtenant]/users/[PrincipalID]/appRoleAssignments

We're looking into correcting this issue, but in the interim your options are to either swallow the exception in #1 or not use the SDK and manually craft your post request to appRoleAssignments.

Upvotes: 1

Related Questions