1

I have created a new custom AppRole in App Manifest and I want to assign this new AppRole to all the user's of the application. I researched on this and I find several links on how to assign new AppRole to a user using Powershell or Bash, but I need to assign new AppRole to all the users (nearly 1500 users) using a script. Does anyone have any idea how to do this ?

Below are few links I looked into, but it assign role to a single user:

https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureaduserapproleassignment?view=azureadps-2.0

https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal

Pinal Dave
  • 533
  • 4
  • 14
  • 27
  • One possibility (which I haven't tried) would be to run the appRole add requests with the MS Graph API batch endpoint: https://learn.microsoft.com/en-us/graph/json-batching. It allows you to run a set of requests with one HTTP request, which should speed up the process. – juunas Mar 06 '19 at 17:42
  • Also, 1500 isn't that many, you could just get the users you want to have the app role and add the role to all of them with a loop :) – juunas Mar 06 '19 at 17:42
  • 1
    I agree with @juunas 1500 isn't a high number, but do know that Microsoft Graph API provides related functionality only with beta endpoint and not with v1.0 yet, so it won't be recommended for any production code/scenario. I've added a small note on that in my answer. – Rohit Saigal Mar 06 '19 at 17:57

1 Answers1

2

You already looked at Azure Portal and the UI available and it isn't very well suited for bulk operations (only one role can be assigned at a time, users have to be selected one by one and there isn't a way to bulk select users based on some criteria etc.)

Following options might help you:

  1. Assign a group to role instead of individual users

    This requires a premium version of Azure AD. It's much more convenient not just for first time assignment but for managing overall.

  2. Scripting/API options (PowerShell, CLI, Azure AD Graph API, Microsoft Graph API)

    Idea will be to loop through all users (or desired subset of users based on some criteria) and assign the appropriate app role to them.

    Here's a sample script for PowerShell.

    Connect-AzureAD -TenantId <Your Tenant Id>

$app_name = "RolesWebApp"
$app_role_name = "Writer"

# Get the service principal for the app and app role
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name     }

$users = Get-AzureADUser -Top 10

foreach ($user in $users)
{
     # Assign the user to the app role
     New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId             
     $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
}

Take a look at this SO thread where we discussed something very similar and has more details on each of the individual options.

Special note on Microsoft Graph API:

Even though for most scenarios it will be recommended to work with Microsoft Graph API instead of Azure AD Graph API. This particular functionality is only available in beta endpoint. So it would not be advisable to use it for any production code. Working with appRoleAssignments

Rohit Saigal
  • 9,317
  • 2
  • 20
  • 32