Microsoft Azure Graph API - AppRoleAssignedTo not

2019-07-27 13:40发布

I have searched for an answer to this, but don't seem to be finding a reliable answer.

I am attempting to delete an application (servicePrincipal) in our tenant through the Graph API. I have all of the code (Java) to get my access token, make a call to /servicePrincipals, and then use that information to retrieve each servicePrincipal's appRoleAssignments. That is working.

The problem is that the Graph API and the Azure AD Graph API seem to behave differently. I was initially using the AAD Graph API, but am transitioning to use the Graph API. Here is the problem that I am seeing:

When using AAD Graph API, I do

https://graph.windows.net/[tenant-domain]/servicePrincipals/[service-principal-guid]?api-version=1.6

and get back what I expect. I then do

https://graph.windows.net/[tenant-domain]/servicePrincipals/[service-principal-guid]/appRoleAssignedTo?api-version=1.6

and get back

{
  "odata.metadata": "https://graph.windows.net/[tenant-name]/$metadata#directoryObjects/Microsoft.DirectoryServices.AppRoleAssignment",
  "value": [
    {
      "odata.type": "Microsoft.DirectoryServices.AppRoleAssignment",
      "objectType": "AppRoleAssignment",
      "objectId": "[removed]",
      "deletionTimestamp": null,
      "creationTimestamp": null,
      "id": "[removed]",
      "principalDisplayName": "ManuallyAdded",
      "principalId": "[removed]",
      "principalType": "Group",
      "resourceDisplayName": "Box",
      "resourceId": "[removed]"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.AppRoleAssignment",
      "objectType": "AppRoleAssignment",
      "objectId": "[removed]",
      "deletionTimestamp": null,
      "creationTimestamp": null,
      "id": "[removed]",
      "principalDisplayName": "TestGroup",
      "principalId": "[removed]",
      "principalType": "Group",
      "resourceDisplayName": "Box",
      "resourceId": "[removed]"
    }
  ]
}

Then I switch the the Graph API and do

https://graph.microsoft.com/beta/[tenant-domain]/servicePrincipals/[service-principal-guid]

and get back the same results as the AAD Graph API. But now, when I do

https://graph.microsoft.com/beta/[tenant-domain]/servicePrincipals/[service-principal-guid]/appRoleAssignedTo

I always get back

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#appRoleAssignments",
    "value": []
}

As you can see above, I am using the beta version of the Graph API and AAD Graph API version 1.6. Am I missing something? Is there a bug in the beta?

As a side note, I am looking to

https://github.com/microsoftgraph/microsoft-graph-docs/tree/master/api-reference/beta/api as a reference for the beta API and seem to be following what it says, specifically,

https://github.com/microsoftgraph/microsoft-graph-docs/blob/master/api-reference/beta/api/approleassignment_get.md.

I think there is a typo in there at the bottom for the https://graph.microsoft.com/beta/appRoleAssignments/[id] example.

Thanks!

Brian

1条回答
叛逆
2楼-- · 2019-07-27 14:21

Thanks for reporting this issue. I've filed a bug internally to investigate and fix this issue. Please feel free to file a doc issue on GitHub. Will report back when we have a fix deployed.

查看更多
登录 后发表回答