IT Error Decoder
Microsoft Graph PowerShell

How to Fix New-MgServicePrincipalAppRoleAssignment failed

Last reviewed

Error message

New-MgServicePrincipalAppRoleAssignment : Permission being assigned was not found on application.

App role assignments tie three IDs together: the principal receiving the role, the resource exposing the role, and the role itself. All three have to match exactly.

What this error means

You tried to grant an app role to a service principal, but Entra couldn't match the AppRoleId against the resource service principal's published roles.

Why this happens

The AppRoleId GUID doesn't exist on the resource you specified, the ResourceId is wrong, or you're targeting a v1 vs beta endpoint mismatch.

Quick fix (for end users)

  • Always look up the AppRoleId from the resource's service principal — never guess or copy from another tenant.
  • Use the role's display name to find its GUID instead of typing the GUID by hand.

Admin / engineer fix

  • Get the resource service principal (e.g. Microsoft Graph) and list its app roles.

    command
    $graph = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'"
$graph.AppRoles | Select-Object Id,Value,DisplayName

  • Find the role you want by its Value (e.g. 'User.Read.All') and copy its Id.

    command
    $role = $graph.AppRoles | Where-Object Value -eq 'User.Read.All'

  • Assign it correctly.

    command
    New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId <target-sp-id> -PrincipalId <target-sp-id> -ResourceId $graph.Id -AppRoleId $role.Id

Step-by-step fix

  1. Resolve the resource service principal.

  2. Pick the correct AppRoleId from its AppRoles array.

  3. Run New-MgServicePrincipalAppRoleAssignment with all three IDs correct.

Affected products

Microsoft.Graph.Applications

Common variations of this error

People also see these phrasings of the same problem:

  • AppRoleAssignment failed
  • Permission being assigned was not found

Still broken? Try these

  • Confirm your account is at least Cloud Application Administrator.
  • If granting to a managed identity, use the managed identity's service principal ID, not the resource ID.
  • Check Entra audit logs for the precise reason.

Related errors

Related searches

  • managed identity graph permission
  • new-mgserviceprincipalapproleassignment example

Frequently asked questions

How do I assign a Graph app permission to a managed identity?

Use the managed identity's service principal ID as both -ServicePrincipalId and -PrincipalId, with -ResourceId pointing at the Microsoft Graph service principal and the AppRoleId of the permission you want.

Browse more errors in Microsoft Graph PowerShell: Fix Microsoft Graph PowerShell errors. Insufficient privileges, invalid object ID, missing cmdlets, token problems, and more. Or paste your own error into the error decoder tool to find a match. You can also go back to the homepage to browse common errors by topic.