powershellazure-active-directoryazure-authenticationazure-ad-b2b

Valid parameters for New-AzureADGroupAppRoleAssignment PowerShell


I am trying to assign a group to the Azure application from PowerShell. For that, I activated the Azure AD Premium P2 license free trial recently as it is a prerequisite.

Command:

New-AzureADGroupAppRoleAssignment -ObjectId groupid -Id appid -PrincipalId groupid -ResourceId appid

Error:

New-AzureADUserAppRoleAssignment : Error occurred while executing NewUserAppRoleAssignment 
Code: Request_ResourceNotFound
Message: Resource 'xxxxx-xxx-xxxx-xxxx' does not exist or one of its queried reference-property objects are not present.
RequestId: 85bd8a07-47b8-42d1-9ea8-4966b309350b
DateTimeStamp: Thu, 11 Aug 2022 07:46:33 GMT
HttpStatusCode: NotFound
HttpStatusDescription: Not Found
HttpResponseStatus: Completed
At line:1 char:1
+ New-AzureADUserAppRoleAssignment -ObjectId  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADUserAppRoleAssignment], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewUserAppRoleAssignment

I'm guessing something is wrong with my parameters but the below document does not specify any working example for reference. It just mentioned value to be string:

New-AzureADGroupAppRoleAssignment | Microsoft Docs

I tried with both appid and objectid of enterprise and normal app. But still getting the same error:( Anyone tried this and made it work?


Solution

  • I tried to reproduce the same in my environment and got below results:

    New-AzureADGroupAppRoleAssignment -ObjectId 7b344d79-xxxxx -Id 31dfe12d-xxxxxx -PrincipalId 7b344d79-xxxxxx -ResourceId 31dfe12d-xxxxxx
    

    I ran the above command giving same parameters as you and got the same error as below:

    enter image description here

    To resolve the error, you need to pass parameters as below:

    To make it simple, try using below PowerShell Script:

    $groupid = "xxxxxxxxxxxx"
    $app_name = "your_app_name"
    $app_role_name = "your_app_role"
    
    $group = Get-AzureADGroup -ObjectId $groupid
    $sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
    $appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq 'your_app_role' }
    
    New-AzureADGroupAppRoleAssignment -ObjectId $group.ObjectId -PrincipalId $group.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
    

    Output:

    enter image description here

    When I ran the above script, group is assigned to the app successfully like below:

    enter image description here

    Reference: Assign users and groups | Microsoft Docs