How to manage Azure AD App Roles for Azure AD Users

Question

1: Is anyone aware of a tool that can manage the assignment of Roles for Azure AD Users (the appRoles defined in the manifest) for Enterprise Applications in Azure AD?

I am talking about how to Assign Roles (app specific) to existing Azure AD Users. It’s a very slow process using the Azure Portal for this.

Of course, we could create this tool, but would be nice if such a tool already exists. What are large organizations with many Azure AD Enterprise Apps using today?

2: Is it really best practice to manually edit the manifest file in the portal? Would make more sense to have the file (the AppRoles section) in git along the application code.

I second PowerShell here. Worked for me even when there was no GUI available. — trailmax, Dec 10 '18 at 15:09
Well. Powershell is great and will work. But lets say your company have 1000 users and 50 apps in Azure AD. And you want to manage the assignment of roles. And most likely this task will be done by a few business users. Not by Dev or Admins. — Thomas, Dec 10 '18 at 16:06

Rohit Saigal · Accepted Answer · 2018-12-12T04:46:40.217

Is anyone aware of a tool that can manage Roles for Azure AD Users

AFAIK, there isn't any specific tool available to manage Application roles.

Overall, you should be able to use following options for add/edit/update options related to application roles and assigning permissions to existing AD Users:

NOTE: Also know in case you are dealing with a large number of users, you could consider assigning security groups to app roles instead of doing it for individual users. It's an option worth considering, although it requires an Azure AD premium license. (Update - Also see comment from Philippe Signoret at the end of this answer about assigning groups to app roles, delegating management of the assigned groups and self-service group management)

Azure Portal by editing application manifest json (you're aware of this already)
PowerShell -

I've added a script for this one at the end. You can do this while creating a new app using New-AzureADApplication or for an existing application using Set-AzureADApplication.

For assigning these roles to existing users, you can use New-AzureADUserAppRoleAssignment as I have shown below with the updated script.
Azure AD Graph API -

You can work with AppRole Type and Application entity for managing app roles themselves. Documentation here

You can work with AppRoleAssignment Entity for assigning these roles to existing Azure AD users etc. Documentation here
Microsoft Graph API -

Documentation here - Please notice this is available only in beta version - so it's not yet good for production applications.

Look here for working with App Role Assignments

For your production applications, you could read application roles from a json file (part of source control like git etc.) and feed that into one of the programmatic options like PowerShell or Azure AD Graph API.

Here is the PowerShell script. Also take a look at these SO Post where we discussed something similar but only in scope of PowerShell.

SO Post 1

SO Post 2 (This question discusses parsing json file and updating Application manifest using PowerShell)

Connect-AzureAD -TenantId <Tenant GUID>

# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
    $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
    $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
    $appRole.AllowedMemberTypes.Add("User");
    $appRole.DisplayName = $Name
    $appRole.Id = New-Guid
    $appRole.IsEnabled = $true
    $appRole.Description = $Description
    $appRole.Value = $Name;
    return $appRole
}

# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
$appRoles = $app.AppRoles
Write-Host "App Roles before addition of new role.."
Write-Host $appRoles

$newRole = CreateAppRole -Name "MyNewApplicationRole" -Description "This is my new Application Role"
$appRoles.Add($newRole)

Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles

Once you are done with above script to add AppRole, then assigning roles to a user is pretty simple and a direct command is available. Here's a sample script for that -

# Assign the values to the variables
$username = "<You user's UPN>"
$app_name = "<Your App's display name>"
$app_role_name = "<App role display name>"

# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }

# Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId 
$user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id

For #1 if was talking about manage the roles that is assigned to the users. Not the roles itself. **"I am talking about how to Assign Roles (app specific) to existing Azure AD Users."** Sorry if I was unclear about this. Again what are large organizations with many Azure AD Enterprise Apps using today? Powershell. Really? — Thomas, Dec 10 '18 at 15:59
@Thomas I have updated the answer to add details for all assigning roles to users for all options (i.e. PowerShell, Azure AD Graph API and Microsoft Graph API). I can not answer specifically what large organizations are doing for this today, but I have tried to list the ways available and another thing that comes to mind is making use of security groups to assign roles to a big group of users instead of doing it at individual user level.. only if that's an option for you.. It needs Azure AD premium license though. I have added a note in my answer as well. — Rohit Saigal, Dec 10 '18 at 16:27
Thanks. Good answer. I assume that larger org. are creating they own tools (based on the API's) to manage this. — Thomas, Dec 10 '18 at 16:29
You're welcome. In absence of other options that could solve all requirements like you mention usage by business users and doing it in a faster way than what portal allows, making use of APIs to come up with something custom would be logical. — Rohit Saigal, Dec 10 '18 at 16:30
@Thomas Larger orgs aren't assigning users one by one, they're assigning *groups* to app roles, and delegating management of the assigned groups (most large orgs have an existing process/solution for this). Out of the box, Azure AD's own [self-service group management](https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-self-service-management) would be an example. (Transparency: [I work or Microsoft](https://stackoverflow.com/users/325697/philippe-signoret?tab=profile) and the ability to assign groups to app roles is a feature of Azure AD Premium.) — Philippe Signoret, Dec 11 '18 at 08:40
@PhilippeSignoret Good point. The self-service group management was the missing piece. Thanks. — Thomas, Dec 11 '18 at 12:22
@PhilippeSignoret thanks for your comment. That makes sense. For anyone referring to this post in future, I've edited the answer to mention this as well. — Rohit Saigal, Dec 12 '18 at 04:46

score 0 · Answer 2 · answered Sep 26 '19 at 09:45

0

Late response but possibly better late than never, Terraform has support for this: https://www.terraform.io/docs/providers/azuread/r/application.html

answered Sep 26 '19 at 09:45

ohuk

1
2

How to manage Azure AD App Roles for Azure AD Users

2 Answers2

Linked