Home > Software design >  Valid parameters for New-AzureADGroupAppRoleAssignment PowerShell
Valid parameters for New-AzureADGroupAppRoleAssignment PowerShell

Time:08-12

I am trying to assign a group to the Azure application from PowerShell. For that, I activated the Azure AD Premium P2 license free trial recently as it is a prerequisite.

Command:

New-AzureADGroupAppRoleAssignment -ObjectId groupid -Id appid -PrincipalId groupid -ResourceId appid

Error:

New-AzureADUserAppRoleAssignment : Error occurred while executing NewUserAppRoleAssignment 
Code: Request_ResourceNotFound
Message: Resource 'xxxxx-xxx-xxxx-xxxx' does not exist or one of its queried reference-property objects are not present.
RequestId: 85bd8a07-47b8-42d1-9ea8-4966b309350b
DateTimeStamp: Thu, 11 Aug 2022 07:46:33 GMT
HttpStatusCode: NotFound
HttpStatusDescription: Not Found
HttpResponseStatus: Completed
At line:1 char:1
  New-AzureADUserAppRoleAssignment -ObjectId  ...
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      CategoryInfo          : NotSpecified: (:) [New-AzureADUserAppRoleAssignment], ApiException
      FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewUserAppRoleAssignment

I'm guessing something is wrong with my parameters but the below document does not specify any working example for reference. It just mentioned value to be string:

New-AzureADGroupAppRoleAssignment | Microsoft Docs

I tried with both appid and objectid of enterprise and normal app. But still getting the same error:( Anyone tried this and made it work?

CodePudding user response:

I tried to reproduce the same in my environment and got below results:

New-AzureADGroupAppRoleAssignment -ObjectId 7b344d79-xxxxx -Id 31dfe12d-xxxxxx -PrincipalId 7b344d79-xxxxxx -ResourceId 31dfe12d-xxxxxx

I ran the above command giving same parameters as you and got the same error as below:

enter image description here

To resolve the error, you need to pass parameters as below:

  • ObjectId - Your group object ID
  • PrincipalId - Your group object ID
  • ResourceId - Your Enterprise App's object ID
  • Id - AppRole ID

To make it simple, try using below PowerShell Script:

$groupid = "xxxxxxxxxxxx"
$app_name = "your_app_name"
$app_role_name = "your_app_role"

$group = Get-AzureADGroup -ObjectId $groupid
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq 'your_app_role' }

New-AzureADGroupAppRoleAssignment -ObjectId $group.ObjectId -PrincipalId $group.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id

Output:

enter image description here

When I ran the above script, group is assigned to the app successfully like below:

enter image description here

Reference: Assign users and groups | Microsoft Docs

  • Related