Azure PIM: Internal Server Error (500) using PIM Graph API

Azure Active Directory_COLOR

I have some implementation where I created a MIM PowerShell Connector for Azure PIM (Privileged Identity Management. This Connector imports on-Premises AD groups and transfers the members to Azure PIM role assignments.

A couple of days ago the scripts of that connector throw errors in my implementation as well as at a customer.

I tried to reach the following endpoints in Graph Explorer and even there I get an error:

Graph Explorer states the following error:

  "error": {
    "code": "UnknownError",
    "message": "{"message":"An error has occurred."}",
  "innerError": {
    "request-id": "16e184f8-86cb-4424-abff-4fd3ac4a010e",
    "date": "2018-11-12T12:40:15"

While PowerShell throws an Internal Server Error (500)

There is also a Github Issue related to that error:

Strange thing was that while I get an error with Graph Explorer in my tenant, it worked well in the customer tenant, only PowerShell failed at customers tenant. hmmmmm.


I talked to the product group and was told there where some changes to the PIM Graph API as they added a scope check against the token.


My script uses a Username/Password Flow to get a token from Azure AD so I used a generic (well-known) client_id (1950a258-227b-4e31-a9cf-717495945fc2) instead of an applicationId from a registered app in my tenant.

But the client_id used in my script needs to have the following permissions to Graph API:

  • Directory.AccessAsUser.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • PrivilegedAccess.ReadWrite.AzureAD (The new one for the scope check)

So the solution was the to do the following to get my script and therefore the MIM Connector back working:

  1. Create an app registration (Native Client) in Azure AD
  2. Set the permissions above for Microsoft Graph
    (don’t forget to hit the grant permission button)
  3. Use the applicationId as client_Id in my PowerShell script.

And the Connector starts working properly like before.

Currently at time of writing this blog post the official PIM Graph API documentation does not state anything about that.




Author: Peter Stapf

Senior Consultant Identity and Access

3 thoughts on “Azure PIM: Internal Server Error (500) using PIM Graph API”

  1. Does PIM API require delegated access? Can at least the read operations be done with just App permissions? It is unclear from the documentation. But I am unable to access without delegation.

      1. That is what I assumed. Unfortunately doesn’t seem to be working that way in practice. Maybe it is a bug? It results in an error like this: { “error”: { “code”: “UnknownError”, “message”: “{\”errorCode\”:\”GraphTokenValidationFail\”,\”message\”:\”MS Graph token validation fail\”,\”target\”:null,\”details\”:null,\”innerError\”:null,\”instanceAnnotations\”:[],\”typeAnnotation\”:null}” ….

        And then I found where they only list PrivilegedAccess.ReadWrite.AzureAD & PrivilegedAccess.ReadWrite.AzureResources as Delegated Permissions.

        PrivilegedAccess.Read.AzureResources & PrivilegedAccess.Read.AzureAD are not even listed here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: