You’ve created an application in Azure AD, and want to script allocating access to the app rather than using the web interface. App show up at https://myapps.microsoft.com
Azure AD Premium is required for group access which would be ideal, but if you don’t have that you’ll need to add access on a user by user basis.
PowerShell of course. First, you’ll need Azure AD for PowerShell (Preview version 220.127.116.11 at time of writing).
The below script which I modified from Philippe’s comment here should cover both internal, cloud and B2B invited users. The original script was using -objectid rather than -searchstring which works better and is more accurate for the internal and cloud accounts, but doesn’t work at all for B2B accounts.
The AppID can be obtained from this command:
Get-AzureADApplication -SearchString “Display Name for App”
Put the corresponding AppID into the below script, and you’re good to go. You’ll get prompted for Azure AD credentials as per usual. You can also get this
This is designed for a single user addition, but you could easily import the email addresses from a CSV file, and do a ‘for each’ on each entry like I did here.
# The UserPrincipalName or ObjectId of the user
$userId = "firstname.lastname@example.org"
# The AppId (a.k.a. "client ID") of the app to assign the user to
$appId = "AppIDGoesHere"
# Connect to Azure AD
# Get the user to be added
$user = Get-AzureADUser -searchstring $userId
# Get the service principal for the app you would like to assign the user to
$servicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
# Create the app role assignment
new-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)
Note: If you try this and get the error below, it’s because the app is already assigned.
new-AzureADUserAppRoleAssignment : Error occurred while executing NewUserAppRoleAssignment
Message: One or more properties are invalid.
At Z:\script.ps1:17 char:1
+ new-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId `
+ CategoryInfo : NotSpecified: (:) [New-AzureADUserAppRoleAssignment], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewUser