I am trying to assign a group to the Azure application from PowerShell. For that, I activated the Azure AD Premium P2 license free trial recently as it is a prerequisite.
Command:
New-AzureADGroupAppRoleAssignment -ObjectId groupid -Id appid -PrincipalId groupid -ResourceId appid
Error:
New-AzureADUserAppRoleAssignment : Error occurred while executing NewUserAppRoleAssignment
Code: Request_ResourceNotFound
Message: Resource 'xxxxx-xxx-xxxx-xxxx' does not exist or one of its queried reference-property objects are not present.
RequestId: 85bd8a07-47b8-42d1-9ea8-4966b309350b
DateTimeStamp: Thu, 11 Aug 2022 07:46:33 GMT
HttpStatusCode: NotFound
HttpStatusDescription: Not Found
HttpResponseStatus: Completed
At line:1 char:1
New-AzureADUserAppRoleAssignment -ObjectId ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : NotSpecified: (:) [New-AzureADUserAppRoleAssignment], ApiException
FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewUserAppRoleAssignment
I'm guessing something is wrong with my parameters but the below document does not specify any working example for reference. It just mentioned value to be string:
New-AzureADGroupAppRoleAssignment | Microsoft Docs
I tried with both appid and objectid of enterprise and normal app. But still getting the same error:( Anyone tried this and made it work?
CodePudding user response:
I tried to reproduce the same in my environment and got below results:
New-AzureADGroupAppRoleAssignment -ObjectId 7b344d79-xxxxx -Id 31dfe12d-xxxxxx -PrincipalId 7b344d79-xxxxxx -ResourceId 31dfe12d-xxxxxx
I ran the above command giving same parameters as you and got the same error as below:
To resolve the error, you need to pass parameters as below:
- ObjectId - Your group object ID
- PrincipalId - Your group object ID
- ResourceId - Your Enterprise App's object ID
- Id - AppRole ID
To make it simple, try using below PowerShell Script:
$groupid = "xxxxxxxxxxxx"
$app_name = "your_app_name"
$app_role_name = "your_app_role"
$group = Get-AzureADGroup -ObjectId $groupid
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq 'your_app_role' }
New-AzureADGroupAppRoleAssignment -ObjectId $group.ObjectId -PrincipalId $group.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
Output:
When I ran the above script, group is assigned to the app successfully like below:
Reference: Assign users and groups | Microsoft Docs