Azure-docs: Assigning user to Enterprise Application via Azure CLI
Is there a way to assign users (or security groups) to an Enterprise Application (preferably with application role support) via Azure CLI?
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 163a1f88-c268-18aa-a1e6-89b4a11bfb01
- Version Independent ID: 1136a613-48f8-fb67-39d3-d9abdd351a0f
- Content: Assign a user or group to an enterprise app in Azure Active Directory
- Content Source: articles/active-directory/manage-apps/assign-user-or-group-access-portal.md
- Service: active-directory
- Sub-service: app-mgmt
- GitHub Login: @msmimart
- Microsoft Alias: mimart
hilari0n
All 12 comments
@hilari0n Thanks for the question! We are investigating and will update you shortly.
SnehaAgrawal-MSFT
on 18 Jun 2019
@SnehaAgrawal-MSFT Did you get anywhere with this? I need to also do the same.
dan-sls
on 20 Jun 2019
@hilari0n Please give me a day and I will update this thread by tomorrow. thank you.
shashishailaj
on 20 Jun 2019
@hilari0n Azure CLI user cmdlet doesnt not have enough commands as of now to add the users to the enterprise applications. You will have to perform this activity using the Powershell. Alternatively if you are using Linux or Mac machines, you can utilize PowershellCore to run the Powershell cmdlets to achieve the same.
Regarding the steps to perform this activity please refer to the following url: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal
techjazz-MS
on 25 Jun 2019
@hilari0n At this point we do not have the equivalent CLI cmdlets however we request you to add a feedback for the same on uservoice. It is reviewed by engineering periodically and they can prioritize it accordingly. We will close this issue now . should you have any further queries , please feel free to let us know.
Thank you.
shashishailaj
on 25 Jun 2019
@hilari0n Azure CLI user cmdlet doesnt not have enough commands as of now to add the users to the enterprise applications. You will have to perform this activity using the Powershell. Alternatively if you are using Linux or Mac machines, you can utilize PowershellCore to run the Powershell cmdlets to achieve the same.
Regarding the steps to perform this activity please refer to the following url: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal
Thanks. I'm aware of the linked article. In fact, this issue is a feedback exactly to that article. :)
hilari0n
on 26 Jun 2019
@hilari0n At this point we do not have the equivalent CLI cmdlets however we request you to add a feedback for the same on uservoice. It is reviewed by engineering periodically and they can prioritize it accordingly. We will close this issue now . should you have any further queries , please feel free to let us know.
I don't think this is a correct uservoice idea, as it refers to assigning applications to roles (so application rights management), not users/groups to applications (so application users management). In another words, I need Azure CLI to be able to do New-AzureADUserAppRoleAssignment, not Add-MsolRoleMember.
hilari0n
on 26 Jun 2019
Any updates on the Azure CLI command equivalent to New-AzureADUserAppRoleAssignment? We primarily use AZ AD App for all AAD automation and would like to avoid mixing Azure Powershell cmds
vsaroopchand
on 23 Sep 2019
Managed to do this via "az rest". The Graph API docs are wrong. Example command below:
az rest --method post --uri https://graph.microsoft.com/beta/users/$user/appRoleAssignments --body "{\"appRoleId\": \"$appRoleId\",\"principalId\": \"$user\",\"resourceId\": \"$spObjectId\"}" --headers "Content-Type=application/json")"
Hopefully this saves someone a couple of days it took me to work out. You can set the vars in the command using a sequence of az commands in bash. I can post an example bash script if people are interested?
brendanfoxen-zz
on 5 Feb 2020
Anyone wanting this to be implemented in AZ CLI should probably upvote this feature request: [FEATURE REQ] App role assignment
hilari0n
on 7 Feb 2020
@brendanfoxen do you have a working example? I tried your command:
az rest --method post --uri https://graph.microsoft.com/beta/users/$user/appRoleAssignments --body "{"appRoleId": "$appRoleId","principalId": "$user","resourceId": "$spObjectId"}" --headers "Content-Type=application"
But it throws error
az: error: unrecognized arguments: appRoleId: ***,principalId: ***,resourceId: ***
ystrte
on 25 Mar 2020
@brendanfoxen do you have a working example? I tried your command:
az rest --method post --uri https://graph.microsoft.com/beta/users/$user/appRoleAssignments --body "{"appRoleId": "$appRoleId","principalId": "$user","resourceId": "$spObjectId"}" --headers "Content-Type=application"But it throws error
az: error: unrecognized arguments: appRoleId: ***,principalId: ***,resourceId: ***
It's probably a problem with quoting the "--body" argument value. It's a complex argument, so has to be quoted, which has to contain Json in it, which itself also uses quotes. You could try using double-quotes as external ones and single-quotes for Json:
az rest --method post --uri https://graph.microsoft.com/beta/users/$user/appRoleAssignments --body "{'appRoleId': '$appRoleId','principalId': '$user','resourceId': '$spObjectId'}" --headers "Content-Type=application/json"
Related issues
paulmarshall
·
3Comments
JeffLoo-ong
·
3Comments
bityob
·
3Comments
Favna
·
3Comments
spottedmahn
·
3Comments
Most helpful comment
Managed to do this via "az rest". The Graph API docs are wrong. Example command below:
az rest --method post --uri https://graph.microsoft.com/beta/users/$user/appRoleAssignments --body "{\"appRoleId\": \"$appRoleId\",\"principalId\": \"$user\",\"resourceId\": \"$spObjectId\"}" --headers "Content-Type=application/json")"
Hopefully this saves someone a couple of days it took me to work out. You can set the vars in the command using a sequence of az commands in bash. I can post an example bash script if people are interested?