Assign AD Application AppRole to Function App system identity(Managed Identity)

Prakash Rajan 1 Reputation point
2021-05-06T15:04:35.81+00:00

Hi, I am trying to generate the access token against the Ad app from my function app with its managed identity. For this I have created a App in Azure AD and Created the app role inside the Application. now I am trying to get the access token against the AD App API. For that I am trying to assign the approle as mentioned in the Docs. but I am unable to fetch the roles of the AD app as mentioned in the script. can someone point me what am I doing wrong?

$tenantID = '<tenant-id>'
$webAppName = 'Function-app-name'
$resourceGroupName = 'Fnction-app-it-belongs-to'
$serverApplicationName = 'Ad Application Name' # For example, MyApi
$appRoleName = 'App role created inside AD App' # For example, MyApi.Read.All
$managedIdentityObjectId = (Get-AzADServicePrincipal -DisplayName $webAppName).Id
Connect-AzureAD -TenantId $tenantID
$serverServicePrincipal = (Get-AzureADServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
**** in the above statement I am getting the details of the Azure AD Applicaiton but its not listing the approles in the below statement.**
$serverServicePrincipalObjectId = $serverServicePrincipal.ObjectId
$appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id
New-AzureADServiceAppRoleAssignment -ObjectId $managedIdentityObjectId
-Id $appRoleId -PrincipalId $managedIdentityObjectId
-ResourceId $serverServicePrincipalObjectId

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,327 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,684 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Saurabh Sharma 23,751 Reputation points Microsoft Employee
    2021-05-06T19:17:44.447+00:00

    Hi @Prakash Rajan ,

    Thanks for using Microsoft Q&A !!

    I am able to fetch App Role correctly using your code (see screenshot below)
    94536-image.png

    Can you please check what value you are passing as App Role name ? Instead of passing MyApi.Read.All you need to pass "Read.All" as API Permissions name.
    $appRoleName = 'Read.All'

    Please check if that's not the case and you are still having issues.

    Thanks
    Saurabh

    ----------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.