5

I have created Azure Active Directory application manually. I want to add user and assign the user roles through PowerShell script.

I am able to add user with the PowerShell script but not able to add app roles under manifest in azure active directory application.

Is it possible to add app role through PowerShell script?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Pavan
  • 115
  • 1
  • 4
  • 9
  • Update the Application entity :) Can't remember the PS cmdlet for that right now – juunas Aug 02 '18 at 10:59
  • You can set them using the Graph API. Here is good reading from juunas https://joonasw.net/view/defining-permissions-and-roles-in-aad – Martin Brandl Aug 02 '18 at 11:48

1 Answers1

11

You can do this while creating a new app using New-AzureADApplication or for an existing application using Set-AzureADApplication. I don't see a command specifically to add/remove just the roles and that's why the above two options.

Here's an example PowerShell script for adding a new app role to an existing registered application:

Connect-AzureAD -TenantId <Tenant GUID>

# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
    $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
    $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
    $appRole.AllowedMemberTypes.Add("User");
    $appRole.DisplayName = $Name
    $appRole.Id = New-Guid
    $appRole.IsEnabled = $true
    $appRole.Description = $Description
    $appRole.Value = $Name;
    return $appRole
}

# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
$appRoles = $app.AppRoles
Write-Host "App Roles before addition of new role.."
Write-Host $appRoles

$newRole = CreateAppRole -Name "MyNewApplicationRole" -Description "This is my new Application Role"
$appRoles.Add($newRole)

Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles

Once you are done with above script to add AppRole, then assigning roles to a user is pretty simple and a direct command is available. Here's a sample script for that -

# Assign the values to the variables
$username = "<You user's UPN>"
$app_name = "<Your App's display name>"
$app_role_name = "<App role display name>"

# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }

# Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
Rohit Saigal
  • 9,317
  • 2
  • 20
  • 32
  • Hello Neo99, I want to skip the pop-up for login the AzureAD. So i made Parameterised. but getting error " must have to run Connect-AzureAD" – Pavan Aug 06 '18 at 07:15
  • $ssAADKey = ConvertTo-SecureString $AADKey -AsPlainText -Force $psCredential = New-Object System.Management.Automation.PSCredential($AADAppID, $ssAADKey) #Connect-AzureRmAccount -ServicePrincipal -Credential $psCredential -TenantId $tenantId Connect-AzureAD -Credential $psCredential Set-AzureRMContext -Subscription $subId -NAME $SubscriptionName – Pavan Aug 06 '18 at 07:22
  • Hi @rohit, could you perhaps take a look at this: https://stackoverflow.com/questions/53233876/azure-runbook-cant-modify-azure-ad-application – BennyM Nov 09 '18 at 22:30