List and add users in an Azure enterprise application via powershell

Gaetan Meister 21 Reputation points


We have a few users to populate and I'm trying to

1) export the list of users and app roles for all azure enterprise applications via powershell.


I was able to retrieve the list of users
Get-AzureADServicePrincipal -searchstring "AWS engineering" | Get-AzureADServiceAppRoleAssignment|select Resourcedisplayname,Principaldisplayname

But haven't managed to pull down the appropriate app role assignment for each user

2) be able to populate the list via a csv file.

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,284 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,742 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Jose Antonio Silva 6 Reputation points

    @Gaetan Meister check this article please:

    In this post, I am going to share Powershell script to find and retrieve the list of Azure AD Integrated apps (Enterprise Applications) with their API permissions. Also, list users who are authorized to use the app.

    In Azure AD, the integrated apps or Enterprise applications are nothing but an instance (ServicePrincipal object) or mirror of the apps (Application object) which are generally published in other company tenants (or in your own tenant). We can use the Get-AzureADServicePrincipal cmdlet to fetch all the integrated apps.

    0 comments No comments

  2. Gaetan Meister 21 Reputation points

    That didn't help but I found out with this script. Now I have to figure out how to populate from a CSV

    # Get all service principals, and for each one, get all the app role assignments, 
    # resolving the app role ID to it's display name. Output everything to a CSV.
    Get-AzureADServicePrincipal -searchstring "aws engineering" | % {
      # Build a hash table of the service principal's app roles. The 0-Guid is
      # used in an app role assignment to indicate that the principal is assigned
      # to the default app role (or rather, no app role).
      $appRoles = @{ "$([Guid]::Empty.ToString())" = "(default)" }
      $_.AppRoles | % { $appRoles[$_.Id] = $_.DisplayName }
      # Get the app role assignments for this app, and add a field for the app role name
      Get-AzureADServiceAppRoleAssignment -ObjectId ($_.ObjectId) | % {
        $_ | Add-Member "AppRoleDisplayName" $appRoles[$_.Id] -Passthru
    } | ft resourcedisplayname,principaldisplayname, approledisplayname,creationtimestamp
    0 comments No comments

  3. Gaetan Meister 21 Reputation points


    foreach ($i in (import-csv enterprise_app_role_assignments.csv))
    $usr = $i.UPN
    $app_name = $i.app_name
    $app_role_name = $i.app_role_name
    # Get the user to assign, and the service principal for the app to assign to
    $user = Get-AzureADUser -ObjectId "$usr"
    $sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
    $appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
    # Assign the user to the app role
    New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
    0 comments No comments