Programmatically assign users to Azure AD Application using Graph API

Asked 19/4, 2017 at 19:47 Answered 2/9, 2020 at 8:50

Solved azure azure-active-directory azure-ad-graph-api

I am trying to write a script to assign users to an Azure AD application (servicePrincipal) using Graph API. I am testing this in my sandbox, where I have defined the app and assigned users to it. However, when I query the servicePrincipal, I don't see the users anywhere in the response.

Questions:

Based on the documentation, shouldn't there be appRoleAssignment?
The documentation says this field is read-only, so how are you supposed to assign users?

Dysuria answered 19/4, 2017 at 19:47 Comment(0)

You can get the appRoleAssignments of a user via the navigation property when querying the Graph API:

https://graph.windows.net/tenant-id/users/user-id/appRoleAssignments?api-version=1.6

You can create assignments by making an HTTP POST to:

https://graph.windows.net/tenant-id/users/user-id/appRoleAssignments?api-version=1.6

The object that you need to send looks like this:

{
  "id": "id-of-role",
  "principalId": "objectId-of-user",
  "resourceId": "objectId-of-service-principal"
}

If your app does not have any roles, but you still want to assign a user, it seems you can just set the id to all zeros:

Where the resource does not declare any permissions, a default id (zero GUID) must be specified.

So something like:

{
  "id":"00000000-0000-0000-0000-000000000000",
  "resourceId": "a27d8321-3dc6-44a1-bf19-2546a9f2806e",
  "principalId": "c4f810b8-2ea1-4580-9595-30275a28c2a2"
}

Jut answered 19/4, 2017 at 19:52 Comment(6)

Thank you very much. I was trying to see if I could replicate using the newer MSFT Graph API: developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/… but this is great. – Dysuria 25/4, 2017 at 14:35

I am struggling with this. If I get the object id OR the app id of the app, from the tenant, I always get the error resource does not exist – Enwind 12/7, 2017 at 14:38

It's the object id of the service principal you need, not the application. You can find the service principal under Enterprise Applications in Azure portal's Azure AD blade. In its Properties you'll find the object id. – Jut 12/7, 2017 at 14:41

I keep getting "One or more properties are invalid."... No answer seems to be available anywhere on the internet. – Roguery 19/12, 2017 at 18:54

Make a new question. Comments are for adding input to existing answers. – Jut 19/12, 2017 at 18:57

@Jut Perhaps could you check [this question] (#66976404) please? this is a process to create user role assignments via Microsoft graph API, and it works, but I got an error when recognizing existing roles 'message': 'Permission being assigned already exists on the object' – Busterbustle 6/4, 2021 at 20:30

The accepted answer is a bit outdated now. The URL you need is:

https://graph.microsoft.com/v1.0/<tenantID>/users/<userObjectID>/appRoleAssignments

Send a HTTP POST with a content of:

{
  "principalId": "<objectId-of-user>",
  "resourceId": "<objectId-of-service-principal>",
  "principalType": "User",
  "appRoleId": "<id of role>"
}

The easiest way to test is via the Microsoft Graph Explorer

Or the way im doing it is via bash script, calling the azure cli

cat <<- EOF > roleAssignment.json
{
  "appRoleId": "${UUID}",
  "principalId": "{$USER_ID}",
  "principalType": "User",
  "resourceId": "${SP}"
}
EOF

az rest --method post --headers Content-type="application/json" --url "https://graph.microsoft.com/v1.0/${TENANT_ID}/users/${USER_ID}/appRoleAssignments" --body @roleAssignment.json

Luzon answered 2/9, 2020 at 8:50 Comment(0)

Recommended topics

Hot tags