Remove-MgServicePrincipalAppRoleAssignment api throws 400 error code and not working as expected

[Helenyang2024]

Describe the bug

Hi there,

When I invoke the endpoint to revoke a service principal app role assignment it fails with Status 400 and the message: Invalid resource identifier for EntitlementGrant. I have tried this both on powershell and C# SDK and am using a valid SP id and app role assignment id (I used to same one to create the app role). I also tried with several different valid app role ids and each fails with this error. Is this a known bug? When will it get fixed or is there working call for revoking app role assignments for service principals? I've attached a screenshot executing from powershell

Expected behavior

Successfully revoke app role from service principal provided.

How to reproduce

Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipalId -AppRoleAssignmentId $appRoleAssignmentId

example approleId = $appRoleAssignmentId = "06b708a9-e830-4db3-a914-8e69da51d44f"

SDK Version

2.10.0

Latest version known to work for scenario above?

n/a

Known Workarounds

No response

Debug output

HTTP Method:
DELETE

Absolute Uri:
https://graph.microsoft.com/v1.0/servicePrincipals/d8ca00aa-1b92-46f4-9931-f58cb11d5769/appRoleAssignments/06b708a9-e830-4db3-a914-8e69da51d44f

Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22631; en-US),PowerShell/7.4.2
Accept-Encoding : gzip
SdkVersion : graph-powershell/2.10.0
client-request-id : 3f52104c-be8f-4900-a328-b157ab95da8e

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
BadRequest

Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 39226b05-3a76-43bb-b157-18e9e40503be
client-request-id : 3f52104c-be8f-4900-a328-b157ab95da8e
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"4","ScaleUnit":"001","RoleInstance":"MW2PEPF000031CC"}}
x-ms-resource-unit : 1
Date : Tue, 18 Feb 2025 21:50:57 GMT

Body:
{
"error": {
"code": "Request_UnsupportedQuery",
"message": "Invalid resource identifier for EntitlementGrant.",
"innerError": {
"date": "2025-02-18T21:50:57",
"request-id": "39226b05-3a76-43bb-b157-18e9e40503be",
"client-request-id": "3f52104c-be8f-4900-a328-b157ab95da8e"
}
}
}

Remove-MgServicePrincipalAppRoleAssignment_Delete: Invalid resource identifier for EntitlementGrant.

Status: 400 (BadRequest)
ErrorCode: Request_UnsupportedQuery
Date: 2025-02-18T21:50:57

Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 39226b05-3a76-43bb-b157-18e9e40503be
client-request-id : 3f52104c-be8f-4900-a328-b157ab95da8e
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"4","ScaleUnit":"001","RoleInstance":"MW2PEPF000031CC"}}
x-ms-resource-unit : 1
Date : Tue, 18 Feb 2025 21:50:57 GMT

DEBUG: [CmdletEndProcessing]: - Remove-MgServicePrincipalAppRoleAssignment end processing.

Configuration

Name Value

---

PSVersion 7.4.2
PSEdition Core
GitCommitId 7.4.2
OS Microsoft Windows 10.0.22631
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

Other information

No response

[timayabi2020]

Hi @Helenyang2024 I also tried the endpoint via graph explorer tool and the request failed. Therefore, this seems to be a service issue and unfortunately for service/Api related issue we are not best placed to give an answer. Kindly raise an issue here https://developer.microsoft.com/en-us/graph/support so that the API owner can respond to it.