I have created Dynamic Group for assigning License to All Azure AD user automatically using powershell in production Environment.
Here is my script:
`New-AzureADMSGroup -DisplayName "us_demo_group" -Description " your Descriptions-MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -membershipRule "(user.department -contains ""Marketing"")" -membershipRuleProcessingState "On"
Add-AADGroupLicenseAssignment -groupId "a5e95316-1c03-44d7-afac-efd0e788122c" -accountSkuId "your skuid:FLOW_FREE"
`
My script is working fine, but when I tried to create a bulk users using Excel File, Users are not getting License, always showing **No License assignment Found **.
Any help is appreciated.
I tried to reproduce the same in my environment to assign the license to Azure AD user dynamically using power shell
I have created Azure dynamic group using powerShell, name-TestGroup1 with condition.
#Install AzureADLicensing Module
Install-Module -Name AzureADLicensing
#Import AzureADPreview
Import-Module AzureADPreview
#Connect to Azure AD
Connect-AzureAD
New-AzureADMSGroup -DisplayName "TestGroup1" -Description "This group contains information of users from us domain" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -membershipRule "(user.department -contains ""Finance"")" -membershipRuleProcessingState "On"
TestGroup1 created once execute the above code.
Assign the license to group, like below
#Get All License with SKUID
Get-AADGroupLicenseAssignment -All
You can fetch the group ID, like below.
#Assign License to Group
Add-AADGroupLicenseAssignment -groupId "GroupIDObject ID" -accountSkuId "Your SKUID"
Create bulk user in Azure Active Directory, like below.
Azure Portal > Default Directory > Users > Bulk Operations > Bulk Create
Make sure mention the department value for moving the users to dynamic group automatically.
Download the excel file and add the value in excel and save, like below.
Once add the value in excel and Upload the excel to Azure, like below.
Successfully created bulk- users with license in Azure AD.
You can view the users in assigned group.
License assigned to group users automatically.
Successfully assigned Azure license to created users.
Related
I have created a new custom AppRole in App Manifest and I want to assign this new AppRole to all the user's of the application. I researched on this and I find several links on how to assign new AppRole to a user using Powershell or Bash, but I need to assign new AppRole to all the users (nearly 1500 users) using a script. Does anyone have any idea how to do this ?
Below are few links I looked into, but it assign role to a single user:
https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureaduserapproleassignment?view=azureadps-2.0
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal
You already looked at Azure Portal and the UI available and it isn't very well suited for bulk operations (only one role can be assigned at a time, users have to be selected one by one and there isn't a way to bulk select users based on some criteria etc.)
Following options might help you:
Assign a group to role instead of individual users
This requires a premium version of Azure AD. It's much more convenient not just for first time assignment but for managing overall.
Scripting/API options (PowerShell, CLI, Azure AD Graph API, Microsoft Graph API)
Idea will be to loop through all users (or desired subset of users based on some criteria) and assign the appropriate app role to them.
Here's a sample script for PowerShell.
Connect-AzureAD -TenantId <Your Tenant Id>
$app_name = "RolesWebApp"
$app_role_name = "Writer"
# Get the service principal for the app and app role
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
$users = Get-AzureADUser -Top 10
foreach ($user in $users)
{
# Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId
$user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
}
Take a look at this SO thread where we discussed something very similar and has more details on each of the individual options.
Special note on Microsoft Graph API:
Even though for most scenarios it will be recommended to work with Microsoft Graph API instead of Azure AD Graph API. This particular functionality is only available in beta endpoint. So it would not be advisable to use it for any production code. Working with appRoleAssignments
1: Is anyone aware of a tool that can manage the assignment of Roles for Azure AD Users (the appRoles defined in the manifest) for Enterprise Applications in Azure AD?
I am talking about how to Assign Roles (app specific) to existing Azure AD Users. It’s a very slow process using the Azure Portal for this.
Of course, we could create this tool, but would be nice if such a tool already exists. What are large organizations with many Azure AD Enterprise Apps using today?
2: Is it really best practice to manually edit the manifest file in the portal? Would make more sense to have the file (the AppRoles section) in git along the application code.
Is anyone aware of a tool that can manage Roles for Azure AD Users
AFAIK, there isn't any specific tool available to manage Application roles.
Overall, you should be able to use following options for add/edit/update options related to application roles and assigning permissions to existing AD Users:
NOTE: Also know in case you are dealing with a large number of users, you could consider assigning security groups to app roles instead of doing it for individual users. It's an option worth considering, although it requires an Azure AD premium license. (Update - Also see comment from Philippe Signoret at the end of this answer about assigning groups to app roles, delegating management of the assigned groups and self-service group management)
Azure Portal by editing application manifest json (you're aware of this already)
PowerShell -
I've added a script for this one at the end. You can do this while creating a new app using New-AzureADApplication or for an existing application using Set-AzureADApplication.
For assigning these roles to existing users, you can use New-AzureADUserAppRoleAssignment as I have shown below with the updated script.
Azure AD Graph API -
You can work with AppRole Type and Application entity for managing app roles themselves. Documentation here
You can work with AppRoleAssignment Entity for assigning these roles to existing Azure AD users etc. Documentation here
Microsoft Graph API -
Documentation here - Please notice this is available only in beta version - so it's not yet good for production applications.
Look here for working with App Role Assignments
For your production applications, you could read application roles from a json file (part of source control like git etc.) and feed that into one of the programmatic options like PowerShell or Azure AD Graph API.
Here is the PowerShell script. Also take a look at these SO Post where we discussed something similar but only in scope of PowerShell.
SO Post 1
SO Post 2 (This question discusses parsing json file and updating Application manifest using PowerShell)
Connect-AzureAD -TenantId <Tenant GUID>
# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $Name
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = $Description
$appRole.Value = $Name;
return $appRole
}
# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
$appRoles = $app.AppRoles
Write-Host "App Roles before addition of new role.."
Write-Host $appRoles
$newRole = CreateAppRole -Name "MyNewApplicationRole" -Description "This is my new Application Role"
$appRoles.Add($newRole)
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles
Once you are done with above script to add AppRole, then assigning roles to a user is pretty simple and a direct command is available. Here's a sample script for that -
# Assign the values to the variables
$username = "<You user's UPN>"
$app_name = "<Your App's display name>"
$app_role_name = "<App role display name>"
# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
# Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId
$user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
Late response but possibly better late than never, Terraform has support for this:
https://www.terraform.io/docs/providers/azuread/r/application.html
I currently try to migrate an existing PowerShell script that uses the old MSOnline PowerShell module to the AzureAD (V2) module. I am able to replace most of the cmdlets but I don't find a replacement for the Get-MsolUserRole cmdlet to retrieve administrator roles for a specific user.
The similar AzureAD (V2) cmdlets doesn't allow me to query the roles by the objectId of the user (they require the role objectid).
Any suggestions?
The closest equivalent is Get-AzureADUserMembership, but since this will also include other membership (e.g. group memberships), you will need to filter the results down to only directory roles:
Get-AzureADUserMembership -ObjectId "user#example.com" -All $true `
| Where-Object { $_.ObjectType -eq "Role" }
I created a native app in Azure AD and I can't add users to it, because when I click the app, some navigation items (including Users and Groups) appear for a split second then disappear. How do I add users to the app?
You could do it with Azure Power Shell.
$appId = "your native app application id"
$user = Get-AzureADUser -searchstring "<Your user's UPN>"
$servicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)
Then, you could find the user on Azure Portal.
Note: Currently, it is not possible add users to native app on Azure Portal.
I have checked in every possible area in the classic Azure portal but I can't seem to find the "Global Administrator" for the directory to which I belong.
Is there a way to find this out in the portal?
You should be able to look up the company administrators in your tenant by making two queries to the AAD or Microsoft Graph API.
The first query will allow you to identify the objectId of the "Company Administrator" role in your tenant.
https://graph.windows.net/<tenant>/directoryRoles
Then you need to find the directoryRole where "roleTemplateId": "62e90394-69f5-4237-9190-012177145e10", and save the objectId.
Next you can query the members of that directoryRole using the following:
https://graph.windows.net/<tenant>/directoryRoles/<objectId>/members
Try it all out using the Graph Explorer, and it's demo Tenant:
Query 1
Query 2
Let me know if this helps!
Global Administrators are also called Company Administrators. The following PowerShell script can help you print out all your Company Administrators. The Install-Module is included in case you do not already have the AzureAD PS Module installed.
# Install-Module AzureAD
Connect-AzureAD -TenantID [Your Tenant ID]
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser
Currently there's no way on the portal, however using PowerShell, enter the following code:
Connect-MsolService #to connect to your Azure tenant
Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "Company Administrator").ObjectId