Issue with servicePrincipals and appRoleAssignedTo in some Entra Tenants #275
Description
Bicep version
0.39.26
Resource and API version
Microsoft.Graph/applications@beta→ works in Entra tenant A & BMicrosoft.Graph/servicePrincipals@beta→ works in Entra tenant A fails in Entra tenant BMicrosoft.Graph/appRoleAssignedTo@beta→ works in Entra tenant A fails in Entra tenant B
Auth flow
Automated deployment
Bicep executed on Azure DevOps Agent using a service principal (workload identity federation)..
The same configured service principal (same permissions and roles) is used in both Entra tenants.
Deployment details
Insufficient privileges to complete the operation.
Graph client request id: cbf743cc-bffd-443c-a2dd-b1da094d75ac.
Graph request timestamp: 2025-12-30T14:06:55Z.
Describe the bug
Using the same Bicep template, same service principal, and same permissions:
- Deployment works in Tenant A
- Deployment fails in Tenant B
Failures occur only for:
Microsoft.Graph/servicePrincipalsMicrosoft.Graph/appRoleAssignedTo
The same operations executed via direct Microsoft Graph REST API
(using PowerShell / az rest) succeed.
Expected behavior:
ARM/Bicep Graph deployments should behave consistently across tenants and align with direct Microsoft Graph API behavior.
Actual behavior:
Tenant-dependent failures occur only when using the ARM-based Microsoft Graph provider.
To Reproduce
No idea.
Additional context
- Admin consent to SP used by Azure DevOps is granted in both Entra tenants
- Same permissions, roles, API version, and payload
- Same service principal identity
- Tenant settings reviewed and appear identical
- The issue occurs only when operations are executed via Azure Resource Manager
- Direct Microsoft Graph API calls do not exhibit this tenant-dependent behavior
This suggests additional tenant-level enforcement applied only to
ARM-mediated Microsoft Graph operations.