You may see this error if you’re using Azure AD Applications via the older GUI. Since there are zero Google results on it:
…this is just a quick post to say that the cause of the error seems to be due to a browser timeout – restart your browser and you should be fine!
Scenario:
You’ve created an application in Azure AD, and want to script allocating access to the app rather than using the web interface. App show up at https://myapps.microsoft.com
Azure AD Premium is required for group access which would be ideal, but if you don’t have that you’ll need to add access on a user by user basis.
Answer:
PowerShell of course. First, you’ll need Azure AD for PowerShell (Preview version 2.0.0.17 at time of writing).
The below script which I modified from Philippe’s comment here should cover both internal, cloud and B2B invited users. The original script was using -objectid rather than -searchstring which works better and is more accurate for the internal and cloud accounts, but doesn’t work at all for B2B accounts.
The AppID can be obtained from this command:
Get-AzureADApplication -SearchString “Display Name for App”
Put the corresponding AppID into the below script, and you’re good to go. You’ll get prompted for Azure AD credentials as per usual. You can also get this
This is designed for a single user addition, but you could easily import the email addresses from a CSV file, and do a ‘for each’ on each entry like I did here.
# The UserPrincipalName or ObjectId of the user $userId = "[email protected]" # The AppId (a.k.a. "client ID") of the app to assign the user to $appId = "AppIDGoesHere" # Connect to Azure AD Connect-AzureAD -Confirm # Get the user to be added $user = Get-AzureADUser -searchstring $userId # Get the service principal for the app you would like to assign the user to $servicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$appId'" # Create the app role assignment new-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)
Note: If you try this and get the error below, it’s because the app is already assigned.
new-AzureADUserAppRoleAssignment : Error occurred while executing NewUserAppRoleAssignment
StatusCode: BadRequest
ErrorCode: Request_BadRequest
Message: One or more properties are invalid.
At Z:\script.ps1:17 char:1
+ new-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureADUserAppRoleAssignment], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewUser
AppRoleAssignment
