Share via

Update-MgApplication when adding new AppRole with values containing arn: changes to a:

Michael Cobden 0 Reputation points
2025-03-26T13:05:01.1633333+00:00

I have a powershell script to add new AppRoles from a list in a CSV file.

The approles are for AWS SSOs so the approles contain "arn:". When I use below command

Update-MgApplication -ApplicationId $SPNObjectId -AppRoles $updatedAppRoles

and can see $updatedAppRoles contains the correct value - Value : arn:aws:iam::xxxxxxxxxxx:role/devops_admin_role,arn:aws:iam::xxxxxxxxxxxx:saml-provider/azuresso

but it set as: a:aws:iam::xxxxxxxxxxx:role/devops_admin_role,a:aws:iam::xxxxxxxxxxxx:saml-provider/azuresso.

Full script:

######################################################################################
# Azure application role creation and assignment
#  Michael Cobden - February 2025
# 1.1 - 2025-03-06 - updated for use with AWS SSO csv files where appname only in first row
######################################################################################
########## App role creation
#Import module
Import-Module Microsoft.Graph.Applications

#Connect to MS Graph
Connect-MgGraph -Scopes Application.ReadWrite.All

function Add-AppRoles {
          param(
              [String]$AppName,
              [String]$AppRoleDisplayName,
              [String]$AppRoleDescription,
              [String]$AppRoleValue,
              [String]$AppRoleMemberType
         )
try {
    # Retrieve the application object
    $App = Get-MgServicePrincipal -Filter "DisplayName eq '$AppName'"
    $SPNObjectId = (Get-MgApplication -Filter "DisplayName eq '$AppName'").Id

    # Retrieve existing AppRoles
    $existingAppRoles = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAppRole]::new()
    $existingAppRoles = $App.AppRoles

     # Check if an AppRole with the same DisplayName already exists
     $existingAppRole = $existingAppRoles | Where-Object { $_.DisplayName -eq $AppRoleDisplayName }

     if ($existingAppRole) {
         Write-Host "AppRole with DisplayName '$AppRoleDisplayName' already exists. Skipping creation." -ForegroundColor Yellow
     } else {    # Create a new AppRole
    $Id = [Guid]::NewGuid().ToString()
    $newAppRole = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAppRole]::new()
    $newAppRole.AllowedMemberTypes = @('User')
    $newAppRole.DisplayName = $AppRoleDisplayName
    $newAppRole.Description = $AppRoleDescription
    $newAppRole.Value = [string]$AppRoleValue
    $newAppRole.Id = $Id
    #$newAppRole.Origin = @('Application')
    $newAppRole.IsEnabled = $false

    # Add the new AppRole to the existing collection
    $updatedAppRoles = @($existingAppRoles + $newAppRole)

    # Update the application with the new AppRoles collection
    Update-MgApplication -ApplicationId $SPNObjectId -AppRoles $updatedAppRoles
    Write-Host "New AppRole '$AppRoleDisplayName'created successfully." -ForegroundColor Green
     }
} catch {
    $ErrorMessage = $_.Exception.Message
    Write-Host "Error: $ErrorMessage" -ForegroundColor Red
    }
}
#Import roles to be created from CSV
#Open file dialog box for csv file import
Add-Type -AssemblyName System.Windows.Forms
$FileBrowser = New-Object System.Windows.Forms.OpenFileDialog -Property @{ 
    InitialDirectory = [Environment]::GetFolderPath('Desktop') 
    Filter = 'CSV (*.csv)|*.csv'
}
$importfile = $FileBrowser.ShowDialog()
    
#import data
$importdata = Import-csv $Filebrowser.Filename


#BACKUP APP ROLES
#Backup location
$backuppath = Read-Host "Enter location to store app role backup json file (no quotes)"
$timestamp = $timestamp = Get-Date -Format "yyyyMMdd_HHmm"  # Generate timestamp in the format YYYYMMDD_HHMM
#Backup each app
foreach ($app in $importdata.'Azure AD Application Name (Suggested)' | Select-Object -Unique)
{
    $app = Get-MgServicePrincipal -Filter "DisplayName eq '$app'"
    $app.approles | ConvertTo-Json | Out-File -Filepath "$backuppath\$($app.DisplayName)_roles_$timestamp.json" -NoClobber
    Invoke-Item "$backuppath\$($app.DisplayName)_roles_$timestamp.json"
}
#Check backup for continue running
Read-Host "Check Backup files before continuing. Press Enter to continue or CTRL+C to cancel"
#create roles
Write-host "Creating roles" -ForegroundColor Cyan
foreach ($role in $importdata)
{
    #wait 1 second
    Start-Sleep -Seconds 1
    #variables
    $appname = $role.'Azure AD Application Name (Suggested)'
    $AppRoleDisplayName = $role.'Project Role Name'
    $AppRoleDescription = $role.'Project Role Name'
    $value0 = $role.'Expected Outcome [1]'
    $value1 = ($value0 -replace '["]' -split ": ")[1].Trim()
    $Value2 = $role.'AMS ARN'.Trim()
    $AppRoleValue = $("$($value2)"+","+"$($value1)")
    $AppRoleMemberType = $role.'MemberType'
    Write-Host "Debug: AppRoleValue being sent = $($AppRoleValue)" -ForegroundColor DarkYellow


#Add roles
Add-AppRoles -AppName $AppName -AppRoleDisplayName $AppRoleDisplayName -AppRoleDescription $AppRoleDescription -AppRoleValue "$($AppRoleValue)" -AppRoleMemberType $AppRoleMemberType -isEnabled $isEnabled
}

Disconnect-MgGraph

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michael Cobden 0 Reputation points
    2025-04-09T12:43:43.8166667+00:00

    This has been resolved by reverting back to module version 2.25.0

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.