I am trying to figure out how to use the PowerShell cmdlet New-AzureADGroupAppRoleAssignment to add a group to an app role.
In the AzureAD portal, I would select: enterprise applications > app_name > users and groups > add user/group, then select the group name and the app role.
When I do this in the portal with the app, group, and app role I use below, it completes successfully.
The best way I can tell from the documentation below to run this is something like:
New-AzureADGroupAppRoleAssignment -ObjectId $objectId -Id $objectId -PrincipalId $principalId -ResourceId $resourceId
where:
ObjectId = name of the group being assigned to the app role
Id = not sure here, but some examples point to using the group object ID again
PrincipalId = app object id
ResourceId = app role object id
When I run this, I get the following error:
New-AzureADGroupAppRoleAssignment : Error occurred while executing NewGroupAppRoleAssignment Code: Request_BadRequest Message: Not a valid reference update. RequestId: fb8145c9-8fb4-4d6d-92b7-f48a81ef1e2d DateTimeStamp: Thu, 07 Jul 2022 15:27:10 GMT HttpStatusCode: BadRequest HttpStatusDescription: Bad Request HttpResponseStatus: Completed At \truenas\IT\Scripts\AzureAD\AzureAD-Add App Role to Group Test.ps1:12 char:1
- New-AzureADGroupAppRoleAssignment -ObjectId $objectId -Id $id -Princi ...
+ CategoryInfo : NotSpecified: (:) [New-AzureADGroupAppRoleAssignment], ApiException + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewGroupAppRoleAssignment
These are the correct values to use for the parameters in New-AzureADGroupAppRoleAssignment
ObjectId = Group object ID
Id = App role ID
PrincipalId = Group object ID
ResourceId = Enterprise Application object ID