將使用者和群組指派至 Azure Active Directory 中的應用程式

本文說明如何使用 PowerShell,在 Azure Active Directory (Azure AD) 中將使用者和群組指派給企業應用程式。 當您將使用者指派給應用程式時,應用程式會出現在使用者的我的應用程式入口網站中,以方便存取。 如果應用程式公開角色,您也可以將特定角色指派給使用者。

必要條件

若要使用 PowerShell 將使用者指派給應用程式,您需要:

  • 具有有效訂用帳戶的 Azure 帳戶。 免費建立帳戶
  • 下列其中一個角色:全域管理員、雲端應用程式管理員、應用程式管理員或服務主體的擁有者。
  • 如果您還沒有安裝 AzureAD 模組 (使用命令 Install-Module -Name AzureAD) 。 如果系統提示您安裝 NuGet 模組或新的 Azure Active Directory V2 PowerShell 模組,請輸入 Y 然後按 ENTER。
  • 以群組為基礎的指派 Azure Active Directory Premium P1 或 P2。 如需本文所討論功能的詳細授權需求,請參閱 Azure Active Directory 定價頁面
  • 選擇性:完成設定應用程式

使用 PowerShell 將使用者和群組指派給應用程式

  1. 開啟已提高權限的 Windows PowerShell 命令提示字元。

  2. 執行 Connect-AzureAD 並以全域管理員的使用者帳戶登入。

  3. 您可以使用下列指令碼,將使用者和角色指派給應用程式:

    # Assign the values to the variables
    $username = "<Your user's UPN>"
    $app_name = "<Your App's display name>"
    $app_role_name = "<App role display name>"
    
    # Get the user to assign, and the service principal for the app to assign to
    $user = Get-AzureADUser -ObjectId "$username"
    $sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
    $appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
    
    # Assign the user to the app role
    New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
    
    

To assign a group to an enterprise app, you must replace Get-AzureADUser with Get-AzureADGroup and replace New-AzureADUserAppRoleAssignment with New-AzureADGroupAppRoleAssignment.

For more information about how to assign a group to an application role, see the documentation for New-AzureADGroupAppRoleAssignment.

Example

This example assigns the user Britta Simon to the Microsoft Workplace Analytics application using PowerShell.

  1. In PowerShell, assign the corresponding values to the variables $username, $app_name and $app_role_name.

    # Assign the values to the variables
    $username = "britta.simon@contoso.com"
    $app_name = "Workplace Analytics"
    
    
  2. In this example, we don't know what is the exact name of the application role we want to assign to Britta Simon. Run the following commands to get the user ($user) and the service principal ($sp) using the user UPN and the service principal display names.

    # Get the user to assign, and the service principal for the app to assign to
    $user = Get-AzureADUser -ObjectId "$username"
    $sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
    
    
  3. Run the command $sp.AppRoles to display the roles available for the Workplace Analytics application. In this example, we want to assign Britta Simon the Analyst (Limited access) Role. Shows the roles available to a user using Workplace Analytics Role

  4. Assign the role name to the $app_role_name variable.

    # Assign the values to the variables
    $app_role_name = "Analyst (Limited access)"
    $appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
    
    
  5. Run the following command to assign the user to the app role:

    # Assign the user to the app role
    New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
    

使用 PowerShell 從應用程式取消指派使用者和群組

  1. 開啟已提高權限的 Windows PowerShell 命令提示字元。

  2. 執行 Connect-AzureAD 並以全域管理員的使用者帳戶登入。 使用下列腳本從應用程式中移除使用者和角色:

    # Store the proper parameters
    $user = get-azureaduser -ObjectId <objectId>
    $spo = Get-AzureADServicePrincipal -ObjectId <objectId>
    
    #Get the ID of role assignment 
    $assignments = Get-AzureADServiceAppRoleAssignment -ObjectId $spo.ObjectId | Where {$_.PrincipalDisplayName -eq $user.DisplayName}
    
    #if you run the following, it will show you what is assigned what
    $assignments | Select *
    
    #To remove the App role assignment run the following command.
    Remove-AzureADServiceAppRoleAssignment -ObjectId $spo.ObjectId -AppRoleAssignmentId $assignments[assignment #].ObjectId
    

下一步