Add members to Azure Enterprise App through CLI

G

2

5

We have an enterprise application in our Azure AD tenant for provisioning users to another SaaS platform. Currently it is only setup with the option "Sync only assigned users and groups" since we do not want the whole directory brought over.

My question is simple, is there a way to use the az-cli (currently have version 2.0.60 installed) to add users to that enterprise application?

I checked out the:

az ad sp
az ad app
az role assignment (seems to only work with subscriptions and resources below)

I would expect there would be a simple role assignment command to run that adds a user by upn/objectId to the enterprise application.

Everyone in my team are using Mac's and we could use PowerShellCore if that has better support.

Thanks!

Galvanometer answered 27/3, 2019 at 6:15 Comment(3)

Just confirm: you want to add the user in the Users and groups or Owners in the screenshot? i.sstatic.net/XOsx1.png – Freeway 27/3, 2019 at 6:43

Users and Groups – Galvanometer 27/3, 2019 at 7:40

Whoever is interested in this should upvote here: github.com/Azure/azure-sdk-for-net/issues/8794 – Fingerling 12/5, 2020 at 14:46

F

6

It seems you could not do that via Azure CLI, my workaround is to use powershell to do that.

Everyone in my team are using Mac's and we could use PowerShellCore if that has better support.

First, you need to install the AzureAD.Standard.Preview powershell module which supports powershell core, you can understand the module is an equivalent of AzureAD module in powershell core, they have the same usage, it is a preview version, for more details see this link.

Then try the command New-AzureADUserAppRoleAssignment as below, this sample assigns a user to an application with default app role id.

New-AzureADUserAppRoleAssignment -ObjectId "<user objectid>" -PrincipalId "<user objectid>" -ResourceId "<service principal objectid(i.e. Enterprise Application objectid)>" -Id ([Guid]::Empty)

Check in the portal:

If you want to assign a user to a specific app role within an application, try the command below.

$username = "<You user's UPN>"
$app_name = "<Your App's display name>"
$app_role_name = "<App role display name>"

# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }

#Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id

Freeway answered 27/3, 2019 at 7:49 Comment(1)

Thanks so much! Seems to work good but unfortunately I cannot seem to get the module installed on my local client since it appears to be only Internal PSGallery but I can run that cmdlet from Azure's Cloud Shell. I am also not a fan of the HttpBadRequest from that call if the user is already in the application but I can work around that one. – Galvanometer 27/3, 2019 at 8:36

S

7

If it helps, I did this using az rest. We all use Macs here and PowerShell core seems broken in a few places (doesn't support certificate-based logins and the New-AzureADUserAppRoleAssignment cmdlet didn't work for us. We were using the preview version. The Graph API docs are also quite wrong so took a bit of fiddling to get the right endpoint and payload. Example below:

az rest \
  --method post \
  --uri https://graph.microsoft.com/beta/users/$user/appRoleAssignments \
  --body "{\"appRoleId\": \"$appRoleId\", \"principalId\": \"$user\", \"resourceId\": \"$spObjectId\"}" \
  --headers "Content-Type=application/json"

Can post a sample bash script for the above that sets the vars if anyone's interested?

Soy answered 6/2, 2020 at 8:55 Comment(2)

Hey @brendan-foxen - I would be interested! Also interested to know if your approach has moved on since you posted this. Thanks – Myrtice 21/8, 2020 at 14:6

this also works with groups by simply replacing "users" with groups and "$user" with "$group" – Matthaus 21/5, 2021 at 14:58

F

6

It seems you could not do that via Azure CLI, my workaround is to use powershell to do that.

Everyone in my team are using Mac's and we could use PowerShellCore if that has better support.

First, you need to install the AzureAD.Standard.Preview powershell module which supports powershell core, you can understand the module is an equivalent of AzureAD module in powershell core, they have the same usage, it is a preview version, for more details see this link.

Then try the command New-AzureADUserAppRoleAssignment as below, this sample assigns a user to an application with default app role id.

New-AzureADUserAppRoleAssignment -ObjectId "<user objectid>" -PrincipalId "<user objectid>" -ResourceId "<service principal objectid(i.e. Enterprise Application objectid)>" -Id ([Guid]::Empty)

Check in the portal:

If you want to assign a user to a specific app role within an application, try the command below.

$username = "<You user's UPN>"
$app_name = "<Your App's display name>"
$app_role_name = "<App role display name>"

# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }

#Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id

Freeway answered 27/3, 2019 at 7:49 Comment(1)

Thanks so much! Seems to work good but unfortunately I cannot seem to get the module installed on my local client since it appears to be only Internal PSGallery but I can run that cmdlet from Azure's Cloud Shell. I am also not a fan of the HttpBadRequest from that call if the user is already in the application but I can work around that one. – Galvanometer 27/3, 2019 at 8:36

Recommended topics

Hot tags