Share via

Unable to query roleEligibilityScheduleInstances with managed identity

Stephen Osborn 0 Reputation points Microsoft Employee
2026-04-06T18:58:53.18+00:00

Trying to query roleEligibilityScheduleInstances using my managed identity within an Azure Function timer trigger.

 

It was granted RoleEligibilitySchedule.Read.Directory and given admin consent.

 

When I try to query that Graph endpoint I get 401 Unauthorized.

Other graph calls work with the token/managed identity.

I have parsed the token and ensured that I get the rolls that it had been granted.

 

I have tried via Invoke-MgGraphRequest and Invoke-RestMethod.

 

The documentation for roleEligibilityScheduleInstances says that delegated work or school accounts require an Entra role, but Application permissions (which is what I have for this MI) should be fine.

 

What am I doing wrong or missing that is causing me to get 401 Unauthorized for this endpoint?

Microsoft Security | Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 125.8K Reputation points MVP Volunteer Moderator
    2026-04-06T19:36:40.6333333+00:00

    You seem to have all the prerequisites met, just double-check whether you are passing the correct token. An expired token perhaps? If using the Graph SDK for PowerShell, you can "peek" at the token by using the -OutputType HttpResponseMessage parameter for Invoke-MgGraphRequest, see this article for more details: https://office365itpros.com/2025/08/04/access-token-graph-sdk/

    I can confirm that using a token with RoleEligibilitySchedule.Read.Directory permissions in app scope works just fine with the /v1.0/roleManagement/directory/roleEligibilityScheduleInstances endpoint.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.