azure - How to assign a contributor role of subcription to a serviceprincipal using api or how to use subscription object

Question

I try assign a contributor role of subcription to a serviceprincipal using api. Here is the information:
subcription ID:b59c6b1b-xxxxxxxxxx
serviceprincipal ID：73eb9e1e-xxxxxxxx
contributor ID: b24988ac-6180-42a0-ab88-20f7382dd24c(Azure built-in contributor role ID，I get it use 'az role definition list --query "[].{name:name, roleType:roleType, roleName:roleName}" --output tsv' by az cli.Is it right?)

I use the api like this

POST https://graph.microsoft.com/v1.0/servicePrincipals/b59c6b1b-xxxxxxxxxx/appRoleAssignedTo
Content-Type: application/json
Content-Length: 110

{
  "principalId": "73eb9e1e-xxxxxxxx",
  "resourceId": "b59c6b1b-xxxxxxxxxx",
  "appRoleId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
}

But I got the error respone like this

{
    "error": {
        "code": "Request_ResourceNotFound",
        "innerError": {
            "client-request-id": "4fed54c4-xxxxxxxxx",
            "date": "2021-01-11T12:00:08",
            "request-id": "4fed54c4-xxxxxxxxx"
        },
        "message": "Resource u0027b59c6b1b-xxxxxxxxxxxu0027 does not exist or one of its queried reference-property objects are not present."
    }
}

It means that subcription didn't find by ID, in this example, I use subcription ID, I think may be I should use subcription ObjectID like other example resouce .But I don't find the method to get subcription ObjectID by using portal or api. Or maybe I fix error info into resourceID.So I want to know what infomation is I need to know to assign a contributor role of subcription to a serviceprincipal

Answer 1

You used the wrong API, this MS Graph API is to assign AAD App role to the service principal, what you need is to assign the RBAC role to the service principal in the subscription, you need to use this API - Role Assignments - Create, you could click the Try it button in this page, login your account and try it directly.

Make sure the client/user you used to get the token has the permission Microsoft.Authorization/roleAssignments/write to create the role assignment, e.g. User Access Administrator or Owner.

Sample:

PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}?api-version=2015-07-01

{
  "properties": {
    "roleDefinitionId": "/subscriptions/xxxxx/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772",
    "principalId": "xxxxxxx"
  }
}

For more details, follow every steps in this doc.

Besides, if you can accept to use Azure CLI, you could use this command az role assignment create.