Assign Users to an app using another app

Occasional Contributor



I hope someone can help with this problem. I have a registered application (lets call it TESTApp3).

I make an Azure AD connection using this application

Connect-AzureAD -TenantId $tenant -CertificateThumbprint $thumb -ApplicationId $applicationID


And I get connected fine. What I need to do is assign users to another application (lets call it TESTApp2) using the connection made by  TESTApp3. I also need it scoped to work only on TESTApp2!


What commands do I use? Any help would be magnificent!!



2 Replies



I was using this script for same kind of task,  it might be useful for you.


hint: make sure test app 3 has permissions to read all the groups and users.



#version 1.0
Connect-AzureAD -TenantId XXXXX -CertificateThumbprint XXXXXX -ApplicationId XXXX
$awseaid= Get-AzureADServicePrincipal -ObjectId "xxxxxx"
$appRole = $awseaid.approles | Where-Object { $_.DisplayName -eq "User" }
$awsgroups = Get-AzureADGroup -All $true | Where-Object {($_.DisplayName -like "AWS*") -and ($_.DisplayName -notlike "*root")  }
$awseagroups=Get-AzureADServiceAppRoleAssignment -ObjectId $awseaid.ObjectId
if($awseagroups.count -ne $awsgroups.count){
foreach($awsgroup in $awsgroups)
    #Write-Output $awsgroup.DisplayName 
    $assignment=Get-AzureADGroupAppRoleAssignment -ObjectId $awsgroup.ObjectId|? {$_.ResourceDisplayName -eq "Single SignOn"}
        Write-Output "adding $($awsgroup.DisplayName) to aws enterprise applicaiton"
        New-AzureADUserAppRoleAssignment -ObjectId $awsgroup.ObjectId -PrincipalId $awsgroup.ObjectId -ResourceId $awseaid.ObjectId -Id $appRole.Id



Thanks for this, but just to clarify (I should have added this to the original question).
I have added the Application Administrator role to TestApp3 first:

So as global admin:
$sp = Get-AzureADServicePrincipal -SearchString "testapp3"

Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Application administrator"}).Objectid -RefObjectId $sp.ObjectId

This allows me to connect TestApp3 and assign users to TestApp2
$cert = Get-ChildItem Cert:\LocalMachine\My\B*****
$tenant = "109***"
$applicationID = "afd7a2***"
Connect-AzureAD -TenantId $tenant -CertificateThumbprint $cert.Thumbprint -ApplicationId $applicationID

Once connected you can assign users to App2

$user = Get-AzureADUser -SearchString email address removed for privacy reasons
$servicePrincipal = Get-AzureADServicePrincipal -ObjectId 6f*** (SP of testApp2)
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectID -PrincipalId $user.ObjectID -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)

Now this works, but the problem is:

TestApp3 can assign that user to ANY SP (not just TestApp2)
The role of Application Administrator is way too strong. I need a role that is just used to assign users. Nothing else.

Hope this is clearer. Appreciate your input.