Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Programmatically assign users to Azure AD Application using Graph API

Tags:

azure

azure-active-directory

azure-ad-graph-api

I am trying to write a script to assign users to an Azure AD application (servicePrincipal) using Graph API. I am testing this in my sandbox, where I have defined the app and assigned users to it. However, when I query the servicePrincipal, I don't see the users anywhere in the response.

Questions:

  1. Based on the documentation, shouldn't there be appRoleAssignment?

  2. The documentation says this field is read-only, so how are you supposed to assign users?

like image 307
babakh Avatar asked Apr 19 '17 19:04

babakh

2 Answers

You can get the appRoleAssignments of a user via the navigation property when querying the Graph API:

https://graph.windows.net/tenant-id/users/user-id/appRoleAssignments?api-version=1.6

You can create assignments by making an HTTP POST to:

https://graph.windows.net/tenant-id/users/user-id/appRoleAssignments?api-version=1.6

The object that you need to send looks like this:

{
  "id": "id-of-role",
  "principalId": "objectId-of-user",
  "resourceId": "objectId-of-service-principal"
}

If your app does not have any roles, but you still want to assign a user, it seems you can just set the id to all zeros:

Where the resource does not declare any permissions, a default id (zero GUID) must be specified.

So something like:

{
  "id":"00000000-0000-0000-0000-000000000000",
  "resourceId": "a27d8321-3dc6-44a1-bf19-2546a9f2806e",
  "principalId": "c4f810b8-2ea1-4580-9595-30275a28c2a2"
}
like image 133
juunas Avatar answered Sep 25 '22 15:09

juunas

The accepted answer is a bit outdated now. The URL you need is:

https://graph.microsoft.com/v1.0/<tenantID>/users/<userObjectID>/appRoleAssignments

Send a HTTP POST with a content of:

{
  "principalId": "<objectId-of-user>",
  "resourceId": "<objectId-of-service-principal>",
  "principalType": "User",
  "appRoleId": "<id of role>"
}

The easiest way to test is via the Microsoft Graph Explorer

Or the way im doing it is via bash script, calling the azure cli

cat <<- EOF > roleAssignment.json
{
  "appRoleId": "${UUID}",
  "principalId": "{$USER_ID}",
  "principalType": "User",
  "resourceId": "${SP}"
}
EOF

az rest --method post --headers Content-type="application/json" --url "https://graph.microsoft.com/v1.0/${TENANT_ID}/users/${USER_ID}/appRoleAssignments" --body @roleAssignment.json
like image 23
A Kingscote Avatar answered Sep 26 '22 15:09

A Kingscote
Sign in to Comment

Related questions

Why Azure VM gets deallocated by VS DevTest Lab
Does Windows Azure App Service support .NET Framework 4.7.2?
Difference between Functions Bot, Web App Bot & Bot Channels Registration in Microsoft Azure?
unable to deploy next js to azure
How to get the blob list of storage accounts with Azure CLI?
Azure Container Registry `docker login` does not work
When to use Deployment Slots vs Separate App Services when deploying different versions of an App Service
Terraform resource with the ID already exists
The type or namespace name 'ServiceBus' does not exist in the namespace 'Microsoft'
How can I set up a CRON job using Windows Azure?
Best Azure data centre for serving the western world
Identify Invalid Azure Container Names [closed]
Azure automatic build failed
Is it possible to attach a MDF file to an Azure SQL database?
Azure load-balanced set preserves client IP
Azure API Management Import API always says: API with specified name already exists
Cannot set secret value in Azure Key Vault
Where are the DB documents stored in DocumentDB Emulator?
Azure Resource Manager IP Security Restrictions using Powershell
How to restart Azure Web App programmatically

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!