If you are unable to grant admin consent to an app registration in Entra ID with an error suggesting a missing service principal, this article will outline the steps to resolve the issue.
Symptom
You got an app registration in Entra ID, and try to grant admin consent to a permission and receive the below error.
Could not grant admin consent. Your organization does not have a subscription (or service principal) for the following API(s): Azure Communication Services,Microsoft Graph.
In the example, I am trying to add ‘Teams.ManageChats’ permission which is part of the Azure Communication Services.
Cause
Now from the error, you might think that the tenant in Azure is missing subscription for Azure Communication Services which is required for the use of use of permissions like ‘Teams.ManageChats’.
This is true, you might need a subscription to actually use and implement the ‘Teams.ManageChats’ within the app. However, this is not a requirement to grant admin consent. You should still be able to consent to the application for these permissions without a subscription (but the actual app may not work as you expect without it (that is app developer side of issues you have to check with development team)).
If you look at the error again, which starts as, ‘Your organization does not have a subscription (or service principal)’, we should give attention to the ‘service principal’ part. The issue/error is more likely caused by a missing service principal. I will detail how to confirm this below.
How to check if a service principal is present or missing in Entra ID
Go to Entra ID and choose Identity > Applications > Enterprise applications
Once you are in the list of Enterprise applications, remove the filter ‘Application Type == Enterprise applications’
Once the filter is removed, search for the service principal using name as shown below
We are missing the ‘Azure communication Services’ service principal in the tenant, which leads to the below error when attempting to grant admin consent to an app registration.
Solution
How to add ‘Azure Communication Services’ service principal to Entra ID using Graph PowerShell
Since the error cleary says we are missing Azure Communication Services service principal, we will have to manually add it to the directory. We will be using Microsoft Graph PowerShell module to do it. This can also be done using Azure AD PowerShell module, however since it is deprecated it will not be covered in the article.
Using the below steps you can add any service principal to Entra ID as long as you have the app ID corresponding to the service principal.
Please note that the service principal we are manually adding is a Microsoft first party service principal, and hence it will be not be possible to remove it once added.
Install the Microsoft Graph PowerShell module if not installed already.
Install-Module Microsoft.Graph
Connect to the directory using scopes specified below and consent to the permissions using a global admin account.
Connect-MgGraph -Scopes Application.ReadWrite.All
Add the Azure communication services service principal using the command below. The app id for this service principal is ‘1fd5118e-2576-4263-8130-9503064c837a’
New-MgServicePrincipal -AppId "1fd5118e-2576-4263-8130-9503064c837a"
You will get the below output for the New-MgServicePrincipal command. Read more about the New-MgServicePrincipal command.
Now let’s verify whether the service principal can be see in the Entra ID admin centre. Navigate to Entra ID > Applications > Enterprise applications and remove the filter ‘Application Type == Enterprise applications’. Search for ‘Azure communication services’
Grant admin consent to the ‘Teams.ManageChats’ permission in the app registration
You should now be able to consent to the ‘Teams.ManageChats’ permission for the app registration (or any other permissions under Azure communication services list).
Please feel to add comments with questions or corrections or any other tips to make this article even better.
Leave a Reply