I am trying to figure out a user friendly way to assign roles for my Azure App Registration with Powershell.
Get-AzureADServiceAppRoleAssignment -ObjectId 'XXXXX-X..'
With this command I can get a list of all roles assigned to users.
I am not able to find a command that will just list the roles that exist whether they are assigned to someone or not.
Does this exist? I haven't found it in the documentation.
The Cmdlet you would want to use is Get-AzureADApplication and then app roles will be available through its AppRoles property.
Please try something like:
$app = Get-AzureADApplication -Filter "ObjectId eq '<object-id of the app>'"
$appRoles = $app.AppRoles
$appRoles
Will produce an output like containing all roles:
AllowedMemberTypes : {User} Description : Role description.
DisplayName : Role name
Id : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
IsEnabled : True
Value : Role value
Related
I can't find a way to view all the group memberships of a service principal in Azure. I can of course see the service principal in the list of "Direct Members" from the perspective of the group.
For example:
myGroup123 has members -> Rob, John, and servicePrincipal9
If I look at "servicePrincipal9", I can't see that it is a member of "myGroup123"
Is there a way to find this info in the Portal? Via powershell? Via CLI?
Get the group membership of a group for a service principal
$Groups = New-Object Microsoft.Open.AzureAD.Model.GroupIdsForMembershipCheck
$Groups.GroupIds = (Get-AzureADGroup -Top 1).ObjectId
$SPId = (Get-AzureADServicePrincipal -Top 1).ObjectId
Select-AzureADGroupIdsServicePrincipalIsMemberOf -ObjectId $SPId -GroupIdsForMembershipCheck $Groups
OdataMetadata Value
------------- -----
https://graph.windows.net/85b5ff1e-0402-400c-9e3c-0f9e965325d1/$metadata#Collection(Edm.String) {093fc0e2-1d6e-4a1b-9bf8-effa0196f1f7}
Kindly go through the document and check if it helps.
Get the groups and directory roles that this servicePrincipal is a member of. This operation is transitive and will include all groups that this service principal is a nested member of from the following document
Get the groups and directory roles that this servicePrincipal is a direct member of. This operation is not transitive. Check this document
Powershell approach via a MSFT support engineer:
Get-AzureADServicePrincipalMembership -ObjectId <String> [-All <Boolean>]
Documentation: https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadserviceprincipalmembership?view=azureadps-2.0
I am trying to migrate existing users to Azure B2C, I've added a new custom attribute to B2C called "CompanyId". When doing a bulk upload I have added a column to the CSV file called "CompanyId" but the B2C upload facility rejects the file, telling me that the "CompanyId" column header is not valid.
Is it possible to bulk upload users to B2C with custom attributes?
No, you cant bulk upload users with custom attribute on Azure portal using CSV directly. But you can update users' custom attribute after users created using PowerShell as below :
Connect-AzureAD //connect to your b2c tenant
$userNameList = <string array list of signin name of users in your CSV>
$ExtensionName = <extension name of your company id attribute>
$ExtensionValue = <value of your companyID>
$userlist = Get-AzureADUser | Where-Object {$userNameList.Contains($_.SignInNames[0].Value) }
foreach( $user in $userlist){
Set-AzureADUserExtension -ExtensionName $ExtensionName -ExtensionValue $ExtensionValue -ObjectId $user.ObjectId
}
As you can see, there is one param that we not know is "ExtensionName" . Once we created a custom attribute in B2C, the backend will create an key for it(more information), generally the key format is : extension_<some id>_<name of custom attribute>. The key is the value of ExtensionName here. To find the key , run the ps command below :
Get-AzureADExtensionProperty
I created a custom attribute as you and As you can see, the key in my case is extension_48c33b45c4f8419eb9d97a0f3ff1817b_CompanyId
So we can just add this extension key with the value you need to new created users will meet your requirement.
In this case , I uploaded a test user from Azure portal, as you can see, while I use the user to get access token , there is no companyID claim :
After run script below :
Connect-AzureAD
$userNameList = New-Object System.Collections.ArrayList
$userNameList.Add("newuser")
$ExtensionName = "extension_48c33b45c4f8419eb9d97a0f3ff1817b_CompanyId"
$ExtensionValue = "MSFT"
$userlist = Get-AzureADUser | Where-Object {$userNameList.Contains($_.SignInNames[0].Value) }
foreach( $user in $userlist){
Set-AzureADUserExtension -ExtensionName $ExtensionName -ExtensionValue $ExtensionValue -ObjectId $user.ObjectId
}
Get an access token by this new created user named "newuser" again :
As you can see , the company ID has been set. Hope it helps .
I'm trying to grant API Permissions on an App registration programatically using terraform.
I dont know how to get the id of the permission that i want to grant. I've tried copy and paste of a permission used elsewhere from the manifest file, but it doesnt look to be that simple.
This description of the setting is from the Terraform documentation.
id - (Required) The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes.
Does anyone know how to get the permission guids that are used here? are they specific to an app registration? I'm guessing so.
The id in the terraform is not that in your screenshot, in your screenshot, it is the consent displayname of the permission, not the id, it just happens to be a guid.
To get the id, you could use the AzureAD powershell as below.
For example, get the id of the xxx-nex-kv-access API delegated permission like your screenshot.
1.Find the service principal.
Get-AzureADServicePrincipal -SearchString "xxx-nex-kv-access"
The command will list all the service principals related to xxx-nex-kv-access, make sure which one you need, then copy the ObjectId and AppId of it. (If there is no result, you can use Get-AzureADServicePrincipal with no parameter to list all the service principal and find the one you need.)
2.Use the ObjectId to get the delegated permission.
$sp = Get-AzureADServicePrincipal -ObjectId "<ObjectId>"
$sp.Oauth2Permissions | select Id,AdminConsentDisplayName,Value
The Id is that you want, in the terraform, specify that like below.
required_resource_access {
resource_app_id = "<AppId>"
resource_access {
id = "<Id>"
type = "Scope"
}
}
Besides, you should notice the type property has two vaules, Scope and Role, you should know the Scope is Delegated permission and Role is Application permission.
So if you want to add the Application permission permission, you need to use the command as below, then in the terraform, use type = "Role".
$sp = Get-AzureADServicePrincipal -ObjectId "<ObjectId>"
$sp.AppRoles | select Id,DisplayName,Value
I have created a new custom AppRole in App Manifest and I want to assign this new AppRole to all the user's of the application. I researched on this and I find several links on how to assign new AppRole to a user using Powershell or Bash, but I need to assign new AppRole to all the users (nearly 1500 users) using a script. Does anyone have any idea how to do this ?
Below are few links I looked into, but it assign role to a single user:
https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureaduserapproleassignment?view=azureadps-2.0
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal
You already looked at Azure Portal and the UI available and it isn't very well suited for bulk operations (only one role can be assigned at a time, users have to be selected one by one and there isn't a way to bulk select users based on some criteria etc.)
Following options might help you:
Assign a group to role instead of individual users
This requires a premium version of Azure AD. It's much more convenient not just for first time assignment but for managing overall.
Scripting/API options (PowerShell, CLI, Azure AD Graph API, Microsoft Graph API)
Idea will be to loop through all users (or desired subset of users based on some criteria) and assign the appropriate app role to them.
Here's a sample script for PowerShell.
Connect-AzureAD -TenantId <Your Tenant Id>
$app_name = "RolesWebApp"
$app_role_name = "Writer"
# Get the service principal for the app and app role
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
$users = Get-AzureADUser -Top 10
foreach ($user in $users)
{
# Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId
$user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
}
Take a look at this SO thread where we discussed something very similar and has more details on each of the individual options.
Special note on Microsoft Graph API:
Even though for most scenarios it will be recommended to work with Microsoft Graph API instead of Azure AD Graph API. This particular functionality is only available in beta endpoint. So it would not be advisable to use it for any production code. Working with appRoleAssignments
I have checked in every possible area in the classic Azure portal but I can't seem to find the "Global Administrator" for the directory to which I belong.
Is there a way to find this out in the portal?
You should be able to look up the company administrators in your tenant by making two queries to the AAD or Microsoft Graph API.
The first query will allow you to identify the objectId of the "Company Administrator" role in your tenant.
https://graph.windows.net/<tenant>/directoryRoles
Then you need to find the directoryRole where "roleTemplateId": "62e90394-69f5-4237-9190-012177145e10", and save the objectId.
Next you can query the members of that directoryRole using the following:
https://graph.windows.net/<tenant>/directoryRoles/<objectId>/members
Try it all out using the Graph Explorer, and it's demo Tenant:
Query 1
Query 2
Let me know if this helps!
Global Administrators are also called Company Administrators. The following PowerShell script can help you print out all your Company Administrators. The Install-Module is included in case you do not already have the AzureAD PS Module installed.
# Install-Module AzureAD
Connect-AzureAD -TenantID [Your Tenant ID]
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser
Currently there's no way on the portal, however using PowerShell, enter the following code:
Connect-MsolService #to connect to your Azure tenant
Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "Company Administrator").ObjectId