Missing scope LicenseAssignment.Read.All in Azure Portal

[Zoddo]

Describe the bug

Trying to use Get-MgSubscribedSku through an unattended application, I wanted to add the LicenseAssignment.Read.All scope to my app registration.

However, the scope doesn't appear in the Azure Portal (neither as Application or Delegated permissions):

The scope does however exist in the backend, because if I do an interactive login with Connect-MgGraph -Scope LicenseAssignment.Read.All, I'm correctly prompted to approve the scope, and it appears in the "User consent" section of the enterprise application (as Delegated, of course).

Expected behavior

I can add the LicenseAssignment.Read.All scope as an Application's permission in the app registration, and grant an admin consent

How to reproduce

1. Create an app registration on the Azure Portal
2. Try to add the LicenseAssignment.Read.All scope on the Microsoft Graph API
3. The scope isn't shown.

SDK Version

N/A

Latest version known to work for scenario above?

No response

Known Workarounds

I haven't found any workaround. I wanted to manually add the scope in the manifest, but I wasn't able to find the role ID to use.

Debug output

No response

Configuration

No response

Other information

No response

[Zoddo]

I managed to find the role ID for LicenseAssignment.Read.All:

e2f98668-2877-4f38-a2f4-8202e0717aa1

I can manually add it in the manifest, then do an admin consent from the enterprise application (the button in the app registration itself break due to the ""unkonwn"" role), and that worked.

At least I have a workaround that don't require to give write access to all licence assignments to my app.

Microsoft should probably still add the scope to the portal's list so it can be added through normal, supported means.

[wUEZRs]

Stumbled upon this as we ran the below line towards our Graph app.

(Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'").AppRoles | Select-Object Id, Value, Description

We found LicenseAssignment.ReadWrite.All but not just Read? We cannot use write in this per least privilege management.
When testing more we can also assign ReadWrite as such:

$graph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
$Permission = $graph.AppRoles `
    | where Value -Like "LicenseAssignment.ReadWrite.All" `
    | Select-Object -First 1
$msi = Get-AzureADServicePrincipal -ObjectId (redacted)
New-AzureADServiceAppRoleAssignment `
    -Id $Permission.Id `
    -ObjectId $msi.ObjectId `
    -PrincipalId $msi.ObjectId `
    -ResourceId $graph.ObjectId

Replacing ReadWrite with Read returns the error:

New-AzureADServiceAppRoleAssignment : Cannot bind argument to parameter 'Id' because it is null.
At line:8 char:9
+     -Id $Permission.Id `
+         ~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [New-AzureADServiceAppRoleAssignment], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.Open.AzureAD16.PowerShell.NewServicePrincipalAppRoleAssignment

[timayabi2020]

Hi @Zoddo thank you for logging this issue. Are you the administrator of that tenant? If not, is the administrator able to see the scope?
Also, since we only resolve Microsoft Graph PowerShell SDK related issues, we may not be best placed to respond to Azure issues because of lack of proper visibility. I would therefore advice you to raise the issue via support and troubleshooting section availed to you in the portal.

You can also raise the issue here https://developer.microsoft.com/en-us/graph/support so that it can be escalated to the relevant team.

[wUEZRs]

I contacted MS Support and they told me the documentation at https://learn.microsoft.com/en-us/graph/api/subscribedsku-list?view=graph-rest-1.0&tabs=http is false, and that Read.Write is the only API available at this time.

They will update the documentation with this info soon™️

[Zoddo]

Are you the administrator of that tenant? If not, is the administrator able to see the scope?

Yes, I'm global admin

I would therefore advice you to raise the issue via support and troubleshooting section availed to you in the portal.

You can also raise the issue here https://developer.microsoft.com/en-us/graph/support so that it can be escalated to the relevant team.

Thanks, I'll try to get the issue escalated through the support or the Q&A.

I contacted MS Support and they told me the documentation [...] is false, and that Read.Write is the only API available at this time.

This is definitely false, considering that Connect-MgGraph -Scope LicenseAssignment.Read.All work as expected, and you can also assign it manually by editing the manifest (see my workaround on my first comment)

[wUEZRs]

I contacted MS Support and they told me the documentation [...] is false, and that Read.Write is the only API available at this time.

This is definitely false, considering that Connect-MgGraph -Scope LicenseAssignment.Read.All work as expected, and you can also assign it manually by editing the manifest (see my workaround on my first comment)

They still insist that

since "https://learn.microsoft.com/en-us/graph/permissions-reference" does not list the permission that is how it's supposed to be.

But as you say there's a workaround to it so.. it does "exist" somewhere over the rainbow.

The LicenseAssignment.read.all is not officially available to use, and the error is in the documentation at https://learn.microsoft.com/en-us/graph/api/subscribedsku-list?view=graph-rest-1.0&tabs=http (and in Graph Explorer, may I @wUEZRs add which makes this a serious error then)

@timayabi2020 since this is presented in PowerShell for me does it still not fall under this scope? The specific error in Graph Powershell when assigning the licence read is:

New-AzureADServiceAppRoleAssignment : Cannot bind argument to parameter 'Id' because it is null.
At line:8 char:9
+     -Id $Permission.Id `
+         ~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [New-AzureADServiceAppRoleAssignment], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.Open.AzureAD16.PowerShell.NewServicePrincipalAppRoleAssignment

Whereas assigning Read.Write will work as expected.

[wUEZRs]

we confirmed with the team and the LicenseAssignment.read.all permission is in testing phase and the error is in the documentation. The document that we have provided you contains all the official available permissions currently.

The LicenseAssignment.read.all permission will be available in the future officially but we cannot provide any ETA for that.

The script you are running will not contain this particular permission because it is in testing phase not available for all applications. That's why we recommend you to only use officially available permission.

TLDR: It shows some places like Graph Explorer and manifests because it's in a testing phase, according to MS third party Support

[Zoddo]

For the feedback: The scope now appears in the Azure Portal and can be assigned through normal means.

So as @wUEZRs reported, the scope was probably in beta when I stumbled accros this issue, and has since been released.

[wUEZRs]

@timayabi2020 definitely seems SDK related too. It's now closed from MS' side by fixing the oversight

(Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'").AppRoles | Select-Object Id, Value, Description

Now returns:
e2f98668-2877-4f38-a2f4-8202e0717aa1 LicenseAssignment.Read.All

Case closed