List and add users in an Azure enterprise application via powershell

Question

question

GaetanMeister-5892 asked Dec 3, '21 GaetanMeister-5892 answered Dec 8, '21

List and add users in an Azure enterprise application via powershell

Hello.

We have a few users to populate and I'm trying to

1) export the list of users and app roles for all azure enterprise applications via powershell.

I was able to retrieve the list of users
Get-AzureADServicePrincipal -searchstring "AWS engineering" | Get-AzureADServiceAppRoleAssignment|select Resourcedisplayname,Principaldisplayname

But haven't managed to pull down the appropriate app role assignment for each user

2) be able to populate the list via a csv file.

windows-server-powershell azure-rbac

screenshot-42.png (42.7 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2021-12-04T16:48:13.813Z

joseantoniosilva answered Dec 4, '21 joseantoniosilva published Dec 4, '21

@GaetanMeister-5892 check this article please:
https://morgantechspace.com/2019/07/get-all-azure-ad-integrated-applications-using-powershell.html

In this post, I am going to share Powershell script to find and retrieve the list of Azure AD Integrated apps (Enterprise Applications) with their API permissions. Also, list users who are authorized to use the app.

In Azure AD, the integrated apps or Enterprise applications are nothing but an instance (ServicePrincipal object) or mirror of the apps (Application object) which are generally published in other company tenants (or in your own tenant). We can use the Get-AzureADServicePrincipal cmdlet to fetch all the integrated apps.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2021-12-07T15:29:44.91Z

GaetanMeister-5892 answered Dec 7, '21

That didn't help but I found out with this script. Now I have to figure out how to populate from a CSV

 Connect-AzureAD
 # Get all service principals, and for each one, get all the app role assignments, 
 # resolving the app role ID to it's display name. Output everything to a CSV.
 Get-AzureADServicePrincipal -searchstring "aws engineering" | % {
    
   # Build a hash table of the service principal's app roles. The 0-Guid is
   # used in an app role assignment to indicate that the principal is assigned
   # to the default app role (or rather, no app role).
   $appRoles = @{ "$([Guid]::Empty.ToString())" = "(default)" }
   $_.AppRoles | % { $appRoles[$_.Id] = $_.DisplayName }
    
   # Get the app role assignments for this app, and add a field for the app role name
   Get-AzureADServiceAppRoleAssignment -ObjectId ($_.ObjectId) | % {
     $_ | Add-Member "AppRoleDisplayName" $appRoles[$_.Id] -Passthru
   }
 } | ft resourcedisplayname,principaldisplayname, approledisplayname,creationtimestamp

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 3 · 2021-12-08T12:05:17.787Z

GaetanMeister-5892 answered Dec 8, '21

Sorted

 foreach ($i in (import-csv enterprise_app_role_assignments.csv))
 {
 $usr = $i.UPN
 $app_name = $i.app_name
 $app_role_name = $i.app_role_name
    
 # Get the user to assign, and the service principal for the app to assign to
 $user = Get-AzureADUser -ObjectId "$usr"
 $sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
 $appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
    
 # Assign the user to the app role
 New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
 }

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

question