Add Graph API via az ad app permission fails

Question

I'm attempting to add the Graph API via CLI 2.x. Here is the PowerShell script I'm running:

    #
    # (1) Register the app, replyUrl, enable implicitflow
    #
    Write-Host " -  Create Application " + $appName
    az ad app create --display-name "$appName" --reply-urls "$replyUrl" --oauth2-allow-implicit-flow true

    #
    # (2) get the app id into a variable
    #
    $appId=$(az ad app list --display-name $appName --query [].appId -o tsv)

    #
    # (3) API Permissions, add Graph API/Permission (delegated)
    
    #
    Write-Host " -  Add Graph API/Permission (delegated)"
    az ad app permission add --id $appid --api 00000002-0000-0000-c000-000000000000 --api-permissions 311a71cc-e848-46a1-bdf8-97ff7156d8e6=Scope
    
    #
    # (4) Grant permissions based on the error/warning from the previous step
    
    #
    Write-Host " -  Grant permissions"
    az ad app permission grant --id $appid --api 00000002-0000-0000-c000-000000000000

I pulled the --api-permissions id from this link. The script line az ad app permission add throws this error (or warning):

az : Invoking az ad app permission grant --id xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --api 00000002-0000-0000-c000-000000000000 is needed to make the change effective At C:\temp\CP\CreateAppRegistration.ps1:42 char:5 az ad app permission add --id $appid --api 00000002-0000-0000-c00 ... CategoryInfo : NotSpecified: (Invoking "az ad...hange effective:String) [], RemoteException FullyQualifiedErrorId : NativeCommandError

I then attempt to call the script in the error az ad app permission grant and get the following error:

az : Operation failed with status: 'Not Found'. Details: 404 Client Error: Not Found for url: https://graph.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/oauth2PermissionGrants?$filter=clientId%20eq%20%27e62c4745-cccc-cccc-cccc-71e5599261fc%27&api-version=1.6 At C:\temp\CP\CreateAppRegistration.ps1:45 char:5 az ad app permission grant --id $appid --api 00000002-0000-0000-c ... CategoryInfo : NotSpecified: (Operation faile...api-version=1.6:String) [], RemoteException FullyQualifiedErrorId : NativeCommandError

Can someone help me understand if I need to execute the script (#4 above) per the error generated from #3 above??
Or why is #3 above returning an error/warning?

I say warning because the Graph API does seem to get added but I'm not sure it's in the proper state per the error message.

az ad app permission grant --id xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --api 00000002-0000-0000-c000-000000000000 is needed to make the change effective

Answer 1

In theory, you need to execute the script (#4 above) per the warning generated from #3 above.

You get "404 Client Error: Not Found for url" means the endpont https://graph.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/oauth2PermissionGrants?$filter=clientId%20eq%20%27e62c4745-cccc-cccc-cccc-71e5599261fc%27&api-version=1.6 returns null result.

The cmd az ad app permission grant will query it first and then insert the new permission. The error occurs in the querying step. I don't think this is reasonable. Your requirement is to add a permission grant, but this cmd needs to query the existing permission grant first. If the result is empty, it prevents you from adding it.

So the logic for this cmd az ad app permission grant is not perfect currently. It may work better for an existing Azure AD app (which has a service principal), but not for a new created Azure AD app (which has no service principal).

A workaround is to use az ad app permission admin-consent --id $appid instead of az ad app permission grant. See reference here. It covers what az ad app permission grant can do.

After you execute az ad app permission admin-consent for once, it will generate a service principal for the Azure AD app and then you can use az ad app permission grant later.