SOLVED
Home

PowerShell for App creation and permissions in Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-21712%22%20slang%3D%22en-US%22%3EPowerShell%20for%20App%20creation%20and%20permissions%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-21712%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3EI've%20been%20working%20on%20scripting%20ways%20to%20create%20applications%20on%20the%20fly%20and%20apply%20group%20permisisons%2C%20but%20I'm%20a%20bit%20stuck.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I'm%20doing%20is%20creating%20an%20app%20for%20a%20Sharepoint%20Online%20site%2C%20adding%20users%20to%20a%20group%20then%20trying%20to%20add%20the%20group%20to%20have%20access%20to%20the%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20App%20creation%20if%20I%20use%20this%20command%3A%3C%2FP%3E%3CP%3E%3CEM%3ENew-AzureRmADApplication%20-DisplayName%20%22ABC%20-HomePage%20%22https%3A%2F%2FURLGOESHERE%20-IdentifierUris%20%22URLGOESHERE%22%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20do%20that%2C%20the%20app%20doesn't%20have%20the%20option%20via%20Azure%20AD%20GUI%20to%20turn%20%22User%20assignment%20required%20to%20access%20app%22%20off%20or%20on%20as%20it's%20greyed%20out%2C%20and%20if%20I%20try%20to%20make%20a%20change%20via%20the%20GUI%20it%20gives%20a%20generic%20error.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20if%20I%20create%20the%20app%20manually..%20how%20do%20I%20give%20a%20group%20permission%20to%20the%20app%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI%20found%20this%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fen-US%2Fde3c56e2-9010-463c-9bbd-faf70069cd26%2Fazure-ad-manage-users-with-powershell%3Fforum%3DWindowsAzureAD%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fen-US%2Fde3c56e2-9010-463c-9bbd-faf70069cd26%2Fazure-ad-manage-users-with-powershell%3Fforum%3DWindowsAzureAD%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%20when%20I%20try%20that%2C%20I%20get%20this%20error%3A%3C%2FP%3E%3CP%3ENew-AzureADUserAppRoleAssignment%20%3A%20Error%20occurred%20while%20executing%20NewUserAppRoleAssignment%3CBR%20%2F%3EStatusCode%3A%20BadRequest%3CBR%20%2F%3EErrorCode%3A%20Request_BadRequest%3CBR%20%2F%3EMessage%3A%20One%20or%20more%20properties%20are%20invalid.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20stuck%20now%2C%20so%20wondering%20if%20anyone%20has%20successfully%20done%20this%2C%20or%20can%20point%20me%20in%20the%20right%20direction%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-21712%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%20and%20Access%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-48398%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20for%20App%20creation%20and%20permissions%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-48398%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Adam%2C%20you%60re%20more%20than%20welcome%20to%20post%20here!%20Glad%20to%20see%20you%20worked%20this%20out%20and%20shared%20the%20resolution%20for%20others%20that%20may%20have%20the%20same%20issue.%20You%60re%20a%20hero%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-47063%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20for%20App%20creation%20and%20permissions%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-47063%22%20slang%3D%22en-US%22%3E%3CP%3EEnded%20up%20working%20out%20how%20to%20do%20this%2C%20here's%20my%20writeup%20for%20anyone%20else%20interested%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.adamfowlerit.com%2F2017%2F01%2Fazure-active-directory-assigning-groups-applications-powershell%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.adamfowlerit.com%2F2017%2F01%2Fazure-active-directory-assigning-groups-applications-powershell%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-29745%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20for%20App%20creation%20and%20permissions%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-29745%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20not%20having%20a%20go%20here%2C%20but%20why%20does%20this%20forum%20exist%20if%20it's%20recommended%20to%20post%20on%20topic%20ideas%20elsewhere%3F%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-24062%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20for%20App%20creation%20and%20permissions%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-24062%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20it%20may%20not%20be%20a%20SPO%20issue%2C%20but%20the%20community%20space%20at%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSharePoint-Developer%2Fbd-p%2FSharePointDev%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSharePoint-Developer%2Fbd-p%2FSharePointDev%3C%2FA%3E%20has%20a%20lot%20more%20activity%20than%20this%20one%2C%20and%20the%20people%20in%20that%20Space%20are%20really%20smart%20and%20always%20helpful.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-24049%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20for%20App%20creation%20and%20permissions%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-24049%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Dean%2C%3C%2FP%3E%3CP%3EThis%20doesn't%20really%20have%20anything%20to%20do%20with%20SharePoint%20Online%20though%2C%20it%20just%20happens%20to%20be%20the%20URL%20destination%20of%20the%20app%20I'm%20adding.%20Could%20be%20anything%20and%20the%20same%20applies.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-23639%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20for%20App%20creation%20and%20permissions%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-23639%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20recommend%20asking%20this%20question%20in%20the%20SharePoint%20Developers%20space%2C%20some%20of%20the%20people%20from%20the%20PnP%20team%20may%20be%20able%20to%20answer%20this%20type%20of%20question.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F369%22%20target%3D%22_blank%22%3E%40Vesa%20Juvonen%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Adam Fowler
MVP

Hi,
I've been working on scripting ways to create applications on the fly and apply group permisisons, but I'm a bit stuck.

 

What I'm doing is creating an app for a Sharepoint Online site, adding users to a group then trying to add the group to have access to the app.

 

For App creation if I use this command:

New-AzureRmADApplication -DisplayName "ABC -HomePage "https://URLGOESHERE -IdentifierUris "URLGOESHERE"

 

When I do that, the app doesn't have the option via Azure AD GUI to turn "User assignment required to access app" off or on as it's greyed out, and if I try to make a change via the GUI it gives a generic error.

 

So, if I create the app manually.. how do I give a group permission to the app?


I found this: https://social.msdn.microsoft.com/Forums/en-US/de3c56e2-9010-463c-9bbd-faf70069cd26/azure-ad-manage-...

 

but when I try that, I get this error:

New-AzureADUserAppRoleAssignment : Error occurred while executing NewUserAppRoleAssignment
StatusCode: BadRequest
ErrorCode: Request_BadRequest
Message: One or more properties are invalid.

 

I'm stuck now, so wondering if anyone has successfully done this, or can point me in the right direction?

6 Replies

I would recommend asking this question in the SharePoint Developers space, some of the people from the PnP team may be able to answer this type of question.

 

@Vesa Juvonen 

Hi Dean,

This doesn't really have anything to do with SharePoint Online though, it just happens to be the URL destination of the app I'm adding. Could be anything and the same applies.

Well, it may not be a SPO issue, but the community space at https://techcommunity.microsoft.com/t5/SharePoint-Developer/bd-p/SharePointDev has a lot more activity than this one, and the people in that Space are really smart and always helpful.

I'm not having a go here, but why does this forum exist if it's recommended to post on topic ideas elsewhere? :)

Solution

Ended up working out how to do this, here's my writeup for anyone else interested:

 

https://www.adamfowlerit.com/2017/01/azure-active-directory-assigning-groups-applications-powershell...

Hey Adam, you`re more than welcome to post here! Glad to see you worked this out and shared the resolution for others that may have the same issue. You`re a hero ;)

Related Conversations
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies