Forum Discussion

Compulinx's avatar
Compulinx
Copper Contributor
Jul 20, 2022

Assign Users to an app using another app

Hello,

 

I hope someone can help with this problem. I have a registered application (lets call it TESTApp3).

I make an Azure AD connection using this application

Connect-AzureAD -TenantId $tenant -CertificateThumbprint $thumb -ApplicationId $applicationID

 

And I get connected fine. What I need to do is assign users to another application (lets call it TESTApp2) using the connection made by  TESTApp3. I also need it scoped to work only on TESTApp2!

 

What commands do I use? Any help would be magnificent!!

 

/A

2 Replies

Sort By
  • lakshmikanthk's avatar
    lakshmikanthk
    Copper Contributor
    Jul 22, 2022

    Compulinx 

     

    I was using this script for same kind of task,  it might be useful for you.

     

    hint: make sure test app 3 has permissions to read all the groups and users.

     

     

    #version 1.0
Connect-AzureAD -TenantId XXXXX -CertificateThumbprint XXXXXX -ApplicationId XXXX
$awseaid= Get-AzureADServicePrincipal -ObjectId "xxxxxx"
$appRole = $awseaid.approles | Where-Object { $_.DisplayName -eq "User" }
$awsgroups = Get-AzureADGroup -All $true | Where-Object {($_.DisplayName -like "AWS*") -and ($_.DisplayName -notlike "*root")  }
$awseagroups=Get-AzureADServiceAppRoleAssignment -ObjectId $awseaid.ObjectId
if($awseagroups.count -ne $awsgroups.count){
foreach($awsgroup in $awsgroups)
{
    #Write-Output $awsgroup.DisplayName 
    $assignment=Get-AzureADGroupAppRoleAssignment -ObjectId $awsgroup.ObjectId|? {$_.ResourceDisplayName -eq "Single SignOn"}
    if(!$assignment)
    {
        Write-Output "adding $($awsgroup.DisplayName) to aws enterprise applicaiton"
        New-AzureADUserAppRoleAssignment -ObjectId $awsgroup.ObjectId -PrincipalId $awsgroup.ObjectId -ResourceId $awseaid.ObjectId -Id $appRole.Id
    }
}

}

     

    • Compulinx's avatar
      Compulinx
      Copper Contributor
      Jul 23, 2022
      Thanks for this, but just to clarify (I should have added this to the original question).
      I have added the Application Administrator role to TestApp3 first:

      So as global admin:
      $sp = Get-AzureADServicePrincipal -SearchString "testapp3"

      Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Application administrator"}).Objectid -RefObjectId $sp.ObjectId

      This allows me to connect TestApp3 and assign users to TestApp2
      $cert = Get-ChildItem Cert:\LocalMachine\My\B*****
      $tenant = "109***"
      $applicationID = "afd7a2***"
      Connect-AzureAD -TenantId $tenant -CertificateThumbprint $cert.Thumbprint -ApplicationId $applicationID

      Once connected you can assign users to App2

      $user = Get-AzureADUser -SearchString email address removed for privacy reasons
      $servicePrincipal = Get-AzureADServicePrincipal -ObjectId 6f*** (SP of testApp2)
      New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectID -PrincipalId $user.ObjectID -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)

      Now this works, but the problem is:

      TestApp3 can assign that user to ANY SP (not just TestApp2)
      The role of Application Administrator is way too strong. I need a role that is just used to assign users. Nothing else.

      Hope this is clearer. Appreciate your input.







Resources