Azure AD application created using Graph API needs first to be updated through the portal to work


  • Hello, 
    I'm currently trying to automate the creating of Azure AD application using powershell / azure graph API.

    The provisioning works fine. But when I go back to the Azure management Portal, and I try from another application to grant access to my newly created application, it’s just not showing up in the list. 

    I first need to change a anything to my new application, save my change, and only then I’m able to grant the required permissions. I can revert my changes, it will still work.
    I’ve compared the manifest files, before and after saving my changes, but there is no difference. 

    I’ve searched on internet for a solution, and I’ve started looking at setting up the right AppRoleAssignment to my new service principal, because this is indeed something that is not being done automatically when creating a new service principal using powershell.

    When creating My application, I’m doing the following :

    - New-AzureRmADApplication to create the AD application
    - Setup the RequiredResourceAccess for the application using the graphAPI  
    resourceAppId  = "00000002-0000-0000-c000-000000000000"  #Microsoft.Azure.ActiveDirectory Application ID
    id = "5778995a-e1bf-45b8-affa-663a9f3f4d04" #Directory.Read
    type = "Role"  
    - Create a service principal for the application using :
    New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId

    - Add AppRoleAssignments to the service principal using the grap API
    id =   "5778995a-e1bf-45b8-affa-663a9f3f4d04" #Directory.Read
    principalId =   $spId
    resourceId =   "10a63753-8584-4f82-832d-85b4c1e7a505"  # Microsoft.Azure.ActiveDirectory ObjectID

    Everything works fine, using GrapAPI explorer I can see the role has been added to my new ServicePrincippal using "$tenantid/servicePrincipals/" + $spId + "/appRoleAssignments?api-version=1.6"
    I can also check that the role has also been assigned to the Microsoft.Azure.ActiveDirectory sp using :$tenantid/servicePrincipals/10a63753-8584-4f82-832d-85b4c1e7a505/appRoleAssignedTo?api-version=1.6

    But still, I can't grant permission untill I save my new application using the management Portal. Is there any API call I am missing ?

    thanks in advance,


    Monday, March 20, 2017 10:13 AM

All replies

  • It seems to me that you have done everything. I have noticed a slight delay between creating the Application and ServicePrincipal objects before they can be used. 2-5 minutes is my experience.

    I wanted to add the ServicePrincipal to the DirectoryReaders role. I experienced that the DirectoryReaders role template had not been enabled in some directories. That had to be added to the DirectoryRoles collection before I could add the SP to the role.

    Monday, March 20, 2017 12:56 PM
  • Hello Rasmus,

    Thanks for your reply, your post on stackoverflow already helped me a lot. (

    Just a small update :

    Until now I was only using portal v1 for Azure ActiveDirectory related tasks (, 

    But if I go on the 'new' portal there I can see my new application, and I can select it, but for some reason, hopefully a temporary issue, I can't select/assign any permissions (there is a rainy cloud instead). AD is still in preview on, so, I'm not sure this is yet the best option... 

    there is anyway a different behavior when using one portal or the other ...


    Monday, March 20, 2017 3:39 PM