When I'm trying to create app role with multiple allowedMemberTypes it throws error

Question

I'm trying to create an app role where I will have two allowedMemberTypes: Application and Users. But it throws errors: Invalid value specified for property 'allowedMemberTypes' of resource 'AppRole'.

Here are the cmdlets:

  $contributorRole = new-object Microsoft.Open.AzureAD.Model.AppRole -Property @{
    IsEnabled = $true;
    Description = "Read/write access";
    DisplayName = "Contributor";
    AllowedMemberTypes = @("User", "Application");
    Id = [guid]::NewGuid().ToString();
    Value = "bcc.contributor";
  };

$myApp = New-AzureADApplication -Oauth2AllowImplicitFlow $true -Oauth2RequirePostResponse $true -DisplayName $displayName -AppRoles $contributorRole

Here is the result of the cmdlets

If you remove the Application from the $contributorRole it will work.

Perhaps have a look at [this answer](https://stackoverflow.com/a/54317429/9898643) — Theo, Aug 02 '21 at 08:51

score 1 · Accepted Answer · answered Aug 10 '21 at 07:35

I tried testing couple of scenarios with your code and I was able to perform the operation you are trying to do .

Scenario 1: Create a new Azure AD application with App role

Connect-AzureAD 
$displayname = "Test1" 
$contributorRole = new-object Microsoft.Open.AzureAD.Model.AppRole -Property @{ 
    IsEnabled = $true; 
    Description = "Read/write access"; 
    DisplayName = "Contributor"; 
    AllowedMemberTypes = @("User", "Application"); 
    Id = [guid]::NewGuid().ToString(); 
    Value = "bcc.contributor"; 
  }; 
$myApp = New-AzureADApplication -Oauth2AllowImplicitFlow $true -Oauth2RequirePostResponse $true -DisplayName $displayName -AppRoles

Scenario 2 : Create a app role on existing Azure AD application(AD application created via Portal)

Connect-AzureAD
$contributorRole = new-object Microsoft.Open.AzureAD.Model.AppRole -Property @{
    IsEnabled = $true;
    Description = "Read/write access";
    DisplayName = "Contributor";
    AllowedMemberTypes = @("User", "Application");
    Id = [guid]::NewGuid().ToString();
    Value = "bcc.contributor";
  };

$myApp = Get-AzureADApplication -Filter "DisplayName eq 'Test2'"
$change = Set-AzureADApplication -ObjectID $myApp.ObjectId -AppRoles $contributorRole

Note: Using subscription level account it has failed would suggest you login with admin account of the azure AD i.e. admin@domainname.onmicrosoft.com

When I'm trying to create app role with multiple allowedMemberTypes it throws error

1 Answers1