Unauthorized (401) listing synchronization jobs for service principal in MS Graph API

Question

I am trying to use MS Graph API to configure Azure AD Connect Cloud Sync from these [instructions][1] but I am having trouble calling this [endpoint][2] in Powershell using client credentials: https://graph.microsoft.com/beta/servicePrincipals/{SERVICE_PRINCIPAL_ID}/synchronization/jobs I can successfully call this using the Graph Explorer, but no luck using Application permission and authentication with a client secret in Powershell. I get 401 Unauthorized error. I can call other endpoints like: https://graph.microsoft.com/beta/servicePrincipals/{SERVICE_PRINCIPAL_ID} # no /synchronization/jobs at the end The application has the API permission: Directory.ReadWrite.All (Application) The permission has been granted by the admin: ![126191-image.png][3] Below is the detail of the code I use to authenticate: $Body = @{ 'tenant' = $TenantId 'client_id' = $ClientId 'scope' = 'https://graph.microsoft.com/.default' 'client_secret' = $ClientSecret 'grant_type' = 'client_credentials' } $Params = @{ 'Uri' = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" 'Method' = 'Post' 'Body' = $Body 'ContentType' = 'application/x-www-form-urlencoded' } $AuthResponse = Invoke-RestMethod @Params And this is how I call the endpoint: $Headers = @{ 'Authorization' = "Bearer $($AuthResponse.access_token)" } $Params = @{ Uri = "https://graph.microsoft.com/beta/servicePrincipals/{SERVICE_PRINCIPAL_ID}/synchronization/jobs" Method = 'Get' ContentType = 'application/json' Headers = $Headers } $res = Invoke-RestMethod @Params And the error: Invoke-RestMethod : The remote server returned an error: (401) Unauthorized If I use the token from the Graph Explorer it works... My token from Powershell decoded contains this "roles" section but no "scp" like in the Graph Explorer token: "roles": [ "Directory.ReadWrite.All" ], Thank you for your help! [1]: https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-inbound-synch-ms-graph [2]: https://learn.microsoft.com/en-us/graph/api/synchronization-synchronizationjob-list?view=graph-rest-beta&tabs=http [3]: /api/attachments/126191-image.png?platform=QnA

Answer 1

EDIT: The service principal needs the role "Hybrid Identity Administrator" (or Global administrator) for this to work!

Another way with user creds, ROPC flow (username/password) this user also needs Hybrid Identity Admin role:

$Body = @{
'tenant' = $TenantId
'client_id' = $ClientId
'scope' = 'https://graph.microsoft.com/.default'
'username' = $Username
'password' = $Password
'grant_type' = 'password'
}
$Params = @{
'Uri' = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
'Method' = 'Post'
'Body' = $Body
'ContentType' = 'application/x-www-form-urlencoded'
}
$AuthResponse = Invoke-RestMethod @Params

Answer 2

Hello anonymous user,

Thanks for reaching out and apologize for inconvenient caused by above issue.

I was able to get it to work by adding following Microsoft Graph API permission Application.ReadWrite.All & Directory.ReadWrite.All for application which I used to authenticate and get Access_token using above PowerShell.

Working API permission on my lab:

If any of these two permission missing then expected to get (401) Unauthorized same as you. Hope this helps.

------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 3

I guess you are using same service principal in PowerShell that was created using instantiate template, if that's the case then (401) Unauthorized error is expected, because these service principal represent cloud sync Configuration which would be used as service account and only limited for synchronization engine.

Therefore, you should not use them for getting access_token for administration purpose instead create a new App registration or use existing one from Azure AD which should work in client credential flow without any issue.

For an example: I created two service principal (lets say Sync1 & Sync2) using following template ( https://graph.microsoft.com/beta/applicationTemplates/1a4721b3-e57f-4451-ae87-ef078703ec94/instantiate ) as described here which represent cloud sync Configuration and this can be verified by going to Azure AD connect under Azure AD blade as shown below.

For administration purpose, I created New App registration (lets say myapp) and used them in my PowerShell script to get access_token and perform all API call to https://graph.microsoft.com/beta/servicePrincipals/{SOME_ID}/synchronization/jobs endpoint.

Create App Registration

Get Access_token

Get API call to /synchronization/jobs endpoint

Hope this helps.

Answer 4

Hi,

i think your permissions for the Application are not right.
Try to ad following to your Application Application --> Application.ReadWrite.OwnedBy

The Graph Explorer generates a token that works because you are logged in as User which work like a delegated permission. (Not 100% sure)

I hope this can help you :)

Answer 5

Hello anonymous user,
Thank you for your question and reaching out.

The application permission of Microsoft Graph cannot be completely replaced by directory role permissions. They cannot replace each other.

Generally speaking, the permissions of the AAD Graph and the directory role permission have a certain overlap. But Microsoft Graph is not.

Please use Application permission

Application.ReadWrite.OwnedBy

or

Directory.ReadWrite.All

in this case.

If the reply was helpful,please don't forget to upvote or accept as answer.

Thanks,

Aradhya C