IT Error Decoder
Entra ID

How to Fix App role assignment failed

Error message

Permission being assigned was not found on application / app role assignment failed.

If you're seeing "App role assignment failed", you're not alone. Here's what it means, why it happens, and the steps to resolve it.

What this error means

You tried to grant an Entra application role (app permission or custom app role) to a user/group/service principal, but the role ID or target couldn't be matched.

Why this happens

Wrong AppRoleId, wrong ResourceId (service principal of the API), the app role isn't enabled/visible, or the assigning identity lacks Cloud Application Administrator / Application Administrator privileges.

Step-by-step fix

  1. Get the resource service principal (e.g. Microsoft Graph) and list its app roles.

    command
    $graph = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'"
$graph.AppRoles | Select-Object Id,Value,DisplayName

  2. Pick the AppRoleId that matches the permission name you intend to grant (e.g. User.Read.All).

  3. Assign it to the target service principal.

    command
    New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId <target-sp-id> -PrincipalId <target-sp-id> -ResourceId $graph.Id -AppRoleId <app-role-id>

Affected products

Entra ID

Still broken? Try these

  • Confirm your account holds Cloud Application Administrator or Application Administrator.
  • If granting to a managed identity, double-check you used the managed identity's service principal ID.
  • Check the audit log in Entra → Monitoring → Audit logs for the failure detail.

Related errors

Frequently asked questions

What does "App role assignment failed" mean?

You tried to grant an Entra application role (app permission or custom app role) to a user/group/service principal, but the role ID or target couldn't be matched.

What causes "App role assignment failed"?

Wrong AppRoleId, wrong ResourceId (service principal of the API), the app role isn't enabled/visible, or the assigning identity lacks Cloud Application Administrator / Application Administrator privileges.

How do I fix "App role assignment failed"?

1. Get the resource service principal (e.g. Microsoft Graph) and list its app roles. 2. Pick the AppRoleId that matches the permission name you intend to grant (e.g. User.Read.All). 3. Assign it to the target service principal. Always test changes in a non-production environment first.

Browse more errors in Entra ID: Fix Microsoft Entra ID (Azure AD) errors. AADSTS error codes, admin consent, app role assignment, Conditional Access, and user lookup problems. Or paste your own error into the error decoder tool to find a match. You can also go back to the homepage to browse common errors by topic.