What is the API needed permission in order to assign a role to a user (in entraId)

Question

I'm doing a call to this endpoint (@POST):

https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments

with this payload:

{
    "@odata.type": "#microsoft.graph.unifiedRoleAssignment",
    "roleDefinitionId": "xxxxxx-xxxxxx-xxxxxxxx-xxxx-xxxxx",
    "principalId": "aaaa-aa-3bbbb-bddd-cccc",
    "directoryScopeId": "/"
}

and i get this response:

{
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            "date": "2024-12-12T05:22:28",
            "request-id": "xxxxxxx-xxxxx-xxxxx-xxxx-xxxxxx",
            "client-request-id": "xxxxxxxx-xxxxxxx-xx-xx-xxxxx"
        }
    }
}

Answer 1

Hello @EntraDeveloper,

Thank you for posting your query on Microsoft Q&A.

I understand you are attempting to create a role assignment with tenant scope using Graph Explorer, but encountering an "Insufficient privileges to complete the operation" error when sending a POST request.

To perform this operation, you need consent for the RoleManagement.ReadWrite.Directory API permission. I tested this in my demo tenant, and the operation succeeded after granting consent for this permission.

For more details, please refer to the following document: Create roleAssignment - Microsoft Graph v1.0

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Thanks,
Raja Pothuraju.