How to add app role to using powershell to service principal

%3CLINGO-SUB%20id%3D%22lingo-sub-1424810%22%20slang%3D%22en-US%22%3EHow%20to%20add%20app%20role%20to%20using%20powershell%20to%20service%20principal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1424810%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20to%20add%20app%20roles%20to%20my%20service%20principal%20in%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1424810%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1426056%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20add%20app%20role%20to%20using%20powershell%20to%20service%20principal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1426056%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F668973%22%20target%3D%22_blank%22%3E%40Sagar_Lad%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%5BCmdletBinding()%5D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EParam%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E(%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CSPAN%3E%5BParameter(Mandatory%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24true%3C%2FSPAN%3E%3CSPAN%3E)%5D%5Bstring%5D%3C%2FSPAN%3E%3CSPAN%3E%24AppName%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CSPAN%3E%5BParameter(Mandatory%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24true%3C%2FSPAN%3E%3CSPAN%3E)%5D%5Bstring%5D%3C%2FSPAN%3E%3CSPAN%3E%24token%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CSPAN%3E%5BParameter(Mandatory%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24true%3C%2FSPAN%3E%3CSPAN%3E)%5D%5Bstring%5B%5D%5D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24AllowedMemberTypes%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3Etry%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%23Connect-AzureAD%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3BInstall-Module%26nbsp%3B-Name%26nbsp%3BAzureAD%26nbsp%3B-Scope%26nbsp%3BCurrentUser%26nbsp%3B-Force%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24currentAzureContext%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3D%26nbsp%3BGet-AzContext%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24tenantId%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24currentAzureContext%3C%2FSPAN%3E%3CSPAN%3E.Tenant.Id%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24accountId%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24currentAzureContext%3C%2FSPAN%3E%3CSPAN%3E.Account.Id%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3CSPAN%3EConnect-AzureAD%26nbsp%3B-AadAccessToken%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24token%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B-AccountId%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24accountId%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B-TenantId%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24tenantId%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3E%23%26nbsp%3BCreate%26nbsp%3Ban%26nbsp%3Bapplication%26nbsp%3Brole%26nbsp%3Bof%26nbsp%3Bgiven%26nbsp%3Bname%26nbsp%3Band%26nbsp%3Bdescription%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3E%24Id%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3D%26nbsp%3B%5BGuid%5D%3A%3ANewGuid().ToString()%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3E%23%26nbsp%3BCreate%26nbsp%3Bnew%26nbsp%3BAppRole%26nbsp%3Bobject%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%24newAppRole%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3D%26nbsp%3B%5BMicrosoft.Open.AzureAD.Model.AppRole%5D%3A%3Anew()%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%24newAppRole%3C%2FSPAN%3E%3CSPAN%3E.AllowedMemberTypes%26nbsp%3B%3D%26nbsp%3BNew-Object%26nbsp%3BSystem.Collections.Generic.List%5Bstring%5D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%24newAppRole%3C%2FSPAN%3E%3CSPAN%3E.AllowedMemberTypes.Add(%3C%2FSPAN%3E%3CSPAN%3E%22User%22%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%24newAppRole%3C%2FSPAN%3E%3CSPAN%3E.DisplayName%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22User%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%24newAppRole%3C%2FSPAN%3E%3CSPAN%3E.Description%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22User%26nbsp%3BRole%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%24newAppRole%3C%2FSPAN%3E%3CSPAN%3E.Value%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22User%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%24newAppRole%3C%2FSPAN%3E%3CSPAN%3E.Id%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24Id%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%24newAppRole%3C%2FSPAN%3E%3CSPAN%3E.IsEnabled%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24true%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3E%23%26nbsp%3BAdd%26nbsp%3Bnew%26nbsp%3BAppRole%26nbsp%3Band%26nbsp%3Bapply%26nbsp%3Bchanges%26nbsp%3Bto%26nbsp%3BApplication%26nbsp%3Bobject%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3E%24App%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3D%26nbsp%3BGet-AzureADServicePrincipal%26nbsp%3B-%3C%2FSPAN%3E%3CSPAN%3EFilter%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22displayName%26nbsp%3Beq%26nbsp%3B'%3C%2FSPAN%3E%3CSPAN%3E%24AppName%3C%2FSPAN%3E%3CSPAN%3E'%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%24appRoles%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24App%3C%2FSPAN%3E%3CSPAN%3E.AppRoles%26nbsp%3B%7C%26nbsp%3BWhere-Object%26nbsp%3B%7B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24_%3C%2FSPAN%3E%3CSPAN%3E.DisplayName%26nbsp%3B-eq%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24RoleToAssign%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Eecho%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24appRoles%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%24SPNObjectId%3C%2FSPAN%3E%3CSPAN%3E%3D(Get-AzADServicePrincipal%26nbsp%3B-DisplayNameBeginsWith%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24AppName%3C%2FSPAN%3E%3CSPAN%3E).Id%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Eecho%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24SPNObjectId%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3E%24appRoles%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%2B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24newAppRole%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Eecho%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24appRoles%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3ESet-AzureADApplication%26nbsp%3B-ObjectId%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24SPNObjectId%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B-AppRoles%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24appRoles%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3E%7D%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3Ecatch%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24message%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24Error%3C%2FSPAN%3E%3CSPAN%3E%5B%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%5D.Exception.Message%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CSPAN%3EWrite-Host%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22%23%23vso%5Btask.logissue%26nbsp%3Btype%3Derror%3B%5D%3C%2FSPAN%3E%3CSPAN%3E%24message%3C%2FSPAN%3E%3CSPAN%3E.%22%3C%2FSPAN%3E%3CSPAN%3E%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CSPAN%3EWrite-Error%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24message%3C%2FSPAN%3E%3CSPAN%3E%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Contributor

Hi All,

 

I would like to add app roles to my service principal in Azure AD.

 

1 Reply

@Sagar_Lad ,

 

[CmdletBinding()]
Param
(
    [Parameter(Mandatory = $true)][string]$AppName,
    [Parameter(Mandatory = $true)][string]$token,
    [Parameter(Mandatory = $true)][string[]] $AllowedMemberTypes
)

try {


 #Connect-AzureAD
 Install-Module -Name AzureAD -Scope CurrentUser -Force
    
 $currentAzureContext = Get-AzContext
 $tenantId = $currentAzureContext.Tenant.Id
 $accountId = $currentAzureContext.Account.Id
 Connect-AzureAD -AadAccessToken $token -AccountId $accountId -TenantId $tenantId

# Create an application role of given name and description

$Id = [Guid]::NewGuid().ToString()

# Create new AppRole object
$newAppRole = [Microsoft.Open.AzureAD.Model.AppRole]::new()
$newAppRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$newAppRole.AllowedMemberTypes.Add("User")
$newAppRole.DisplayName = "User"
$newAppRole.Description = "User Role"
$newAppRole.Value = "User"
$newAppRole.Id = $Id
$newAppRole.IsEnabled = $true

# Add new AppRole and apply changes to Application object

$App = Get-AzureADServicePrincipal -Filter "displayName eq '$AppName'"
$appRoles = $App.AppRoles | Where-Object { $_.DisplayName -eq $RoleToAssign }
echo $appRoles
$SPNObjectId=(Get-AzADServicePrincipal -DisplayNameBeginsWith $AppName).Id
echo $SPNObjectId

$appRoles += $newAppRole
echo $appRoles

Set-AzureADApplication -ObjectId $SPNObjectId -AppRoles $appRoles

}  

catch {
    $message = $Error[0].Exception.Message
    Write-Host "##vso[task.logissue type=error;]$message.";
    Write-Error $message;
}