question

PrakashRajan-6865 avatar image
0 Votes"
PrakashRajan-6865 asked SaurabhSharma-msft commented

Assign AD Application AppRole to Function App system identity(Managed Identity)

Hi, I am trying to generate the access token against the Ad app from my function app with its managed identity. For this I have created a App in Azure AD and Created the app role inside the Application. now I am trying to get the access token against the AD App API. For that I am trying to assign the approle as mentioned in the Docs. but I am unable to fetch the roles of the AD app as mentioned in the script. can someone point me what am I doing wrong?

$tenantID = '<tenant-id>'
$webAppName = 'Function-app-name'
$resourceGroupName = 'Fnction-app-it-belongs-to'
$serverApplicationName = 'Ad Application Name' # For example, MyApi
$appRoleName = 'App role created inside AD App' # For example, MyApi.Read.All
$managedIdentityObjectId = (Get-AzADServicePrincipal -DisplayName $webAppName).Id
Connect-AzureAD -TenantId $tenantID
$serverServicePrincipal = (Get-AzureADServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
in the above statement I am getting the details of the Azure AD Applicaiton but its not listing the approles in the below statement.**
$serverServicePrincipalObjectId = $serverServicePrincipal.ObjectId
$appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id
New-AzureADServiceAppRoleAssignment -ObjectId $managedIdentityObjectId
-Id $appRoleId -PrincipalId $managedIdentityObjectId
-ResourceId $serverServicePrincipalObjectId

azure-active-directoryazure-functionsazure-managed-identity
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered SaurabhSharma-msft commented

Hi @prakashrajan-6865,

Thanks for using Microsoft Q&A !!

I am able to fetch App Role correctly using your code (see screenshot below)
94536-image.png

Can you please check what value you are passing as App Role name ? Instead of passing MyApi.Read.All you need to pass "Read.All" as API Permissions name.
$appRoleName = 'Read.All'

Please check if that's not the case and you are still having issues.

Thanks
Saurabh


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.


image.png (180.8 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @prakashrajan-6865,

I have not heard back from you. Did my answer solve your issue? If so, please mark as accepted answer. If not, please let me know how I may better assist.

Thanks
Saurabh

0 Votes 0 ·

Hi @prakashrajan-6865,

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Thanks
Saurabh

0 Votes 0 ·