Unauthorized (401) listing synchronization jobs for service principal in MS Graph API

Anonymous
2021-08-24T19:45:48.557+00:00

I am trying to use MS Graph API to configure Azure AD Connect Cloud Sync from these [instructions][1] but I am having trouble calling this [endpoint][2] in Powershell using client credentials: https://graph.microsoft.com/beta/servicePrincipals/{SERVICE_PRINCIPAL_ID}/synchronization/jobs I can successfully call this using the Graph Explorer, but no luck using Application permission and authentication with a client secret in Powershell. I get 401 Unauthorized error. I can call other endpoints like: https://graph.microsoft.com/beta/servicePrincipals/{SERVICE_PRINCIPAL_ID} # no /synchronization/jobs at the end The application has the API permission: Directory.ReadWrite.All (Application) The permission has been granted by the admin: ![126191-image.png][3] Below is the detail of the code I use to authenticate: $Body = @{ 'tenant' = $TenantId 'client_id' = $ClientId 'scope' = 'https://graph.microsoft.com/.default' 'client_secret' = $ClientSecret 'grant_type' = 'client_credentials' } $Params = @{ 'Uri' = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" 'Method' = 'Post' 'Body' = $Body 'ContentType' = 'application/x-www-form-urlencoded' } $AuthResponse = Invoke-RestMethod @Params And this is how I call the endpoint: $Headers = @{ 'Authorization' = "Bearer $($AuthResponse.access_token)" } $Params = @{ Uri = "https://graph.microsoft.com/beta/servicePrincipals/{SERVICE_PRINCIPAL_ID}/synchronization/jobs" Method = 'Get' ContentType = 'application/json' Headers = $Headers } $res = Invoke-RestMethod @Params And the error: Invoke-RestMethod : The remote server returned an error: (401) Unauthorized If I use the token from the Graph Explorer it works... My token from Powershell decoded contains this "roles" section but no "scp" like in the Graph Explorer token: "roles": [ "Directory.ReadWrite.All" ], Thank you for your help! [1]: https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-inbound-synch-ms-graph [2]: https://learn.microsoft.com/en-us/graph/api/synchronization-synchronizationjob-list?view=graph-rest-beta&tabs=http [3]: /api/attachments/126191-image.png?platform=QnA

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,625 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,379 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,537 questions
0 comments
Accepted answer
  1. Anonymous
    2021-09-03T16:30:24.943+00:00

    EDIT: The service principal needs the role "Hybrid Identity Administrator" (or Global administrator) for this to work!

    Another way with user creds, ROPC flow (username/password) this user also needs Hybrid Identity Admin role:

    $Body = @{
    'tenant' = $TenantId
    'client_id' = $ClientId
    'scope' = 'https://graph.microsoft.com/.default'
    'username' = $Username
    'password' = $Password
    'grant_type' = 'password'
    }
    $Params = @{
    'Uri' = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
    'Method' = 'Post'
    'Body' = $Body
    'ContentType' = 'application/x-www-form-urlencoded'
    }
    $AuthResponse = Invoke-RestMethod @Params

    1 person found this answer helpful.

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. El Carbo 1 Reputation point
    2021-12-08T10:44:20.62+00:00

    Did you ever solve this one?

    0 comments