Forum Discussion

Compulinx's avatar
Compulinx
Copper Contributor
Jul 20, 2022

Assign Users to an app using another app

Hello,   I hope someone can help with this problem. I have a registered application (lets call it TESTApp3). I make an Azure AD connection using this application Connect-AzureAD -TenantId $tenant...
lakshmikanthk's avatar
lakshmikanthk
Copper Contributor
Jul 22, 2022

Compulinx 

 

I was using this script for same kind of task,  it might be useful for you.

 

hint: make sure test app 3 has permissions to read all the groups and users.

 

 

#version 1.0
Connect-AzureAD -TenantId XXXXX -CertificateThumbprint XXXXXX -ApplicationId XXXX
$awseaid= Get-AzureADServicePrincipal -ObjectId "xxxxxx"
$appRole = $awseaid.approles | Where-Object { $_.DisplayName -eq "User" }
$awsgroups = Get-AzureADGroup -All $true | Where-Object {($_.DisplayName -like "AWS*") -and ($_.DisplayName -notlike "*root")  }
$awseagroups=Get-AzureADServiceAppRoleAssignment -ObjectId $awseaid.ObjectId
if($awseagroups.count -ne $awsgroups.count){
foreach($awsgroup in $awsgroups)
{
    #Write-Output $awsgroup.DisplayName 
    $assignment=Get-AzureADGroupAppRoleAssignment -ObjectId $awsgroup.ObjectId|? {$_.ResourceDisplayName -eq "Single SignOn"}
    if(!$assignment)
    {
        Write-Output "adding $($awsgroup.DisplayName) to aws enterprise applicaiton"
        New-AzureADUserAppRoleAssignment -ObjectId $awsgroup.ObjectId -PrincipalId $awsgroup.ObjectId -ResourceId $awseaid.ObjectId -Id $appRole.Id
    }
}

}

 

  • Compulinx's avatar
    Compulinx
    Copper Contributor
    Jul 23, 2022
    Thanks for this, but just to clarify (I should have added this to the original question).
    I have added the Application Administrator role to TestApp3 first:

    So as global admin:
    $sp = Get-AzureADServicePrincipal -SearchString "testapp3"

    Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Application administrator"}).Objectid -RefObjectId $sp.ObjectId

    This allows me to connect TestApp3 and assign users to TestApp2
    $cert = Get-ChildItem Cert:\LocalMachine\My\B*****
    $tenant = "109***"
    $applicationID = "afd7a2***"
    Connect-AzureAD -TenantId $tenant -CertificateThumbprint $cert.Thumbprint -ApplicationId $applicationID

    Once connected you can assign users to App2

    $user = Get-AzureADUser -SearchString email address removed for privacy reasons
    $servicePrincipal = Get-AzureADServicePrincipal -ObjectId 6f*** (SP of testApp2)
    New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectID -PrincipalId $user.ObjectID -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)

    Now this works, but the problem is:

    TestApp3 can assign that user to ANY SP (not just TestApp2)
    The role of Application Administrator is way too strong. I need a role that is just used to assign users. Nothing else.

    Hope this is clearer. Appreciate your input.







Resources