New-AzureADUserAppRoleAssignment
Assigns a user to an application role.
Syntax
Default (Default)
New-AzureADUserAppRoleAssignment
-ObjectId <String>
[-InformationAction <ActionPreference>]
[-InformationVariable <String>]
-Id <String>
-PrincipalId <String>
-ResourceId <String>
[<CommonParameters>]
Description
The New-AzureADUserAppRoleAssignment cmdlet assigns a user to an application role in Azure Active Directory (AD).
Examples
Example 1: Assign a user to an application without roles
# Get AppId of the app to assign the user to
$appId = Get-AzureADApplication -SearchString "<Your App's display name>"
# Get the user to be added
$user = Get-AzureADUser -searchstring "<Your user's UPN>"
# Get the service principal for the app you want to assign the user to
$servicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
# Create the user app role assignment
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)
This command assigns a user to and application that doesn;t have any roles.
Example 2: Assign a user to a specific role within an application
$username = "<You user's UPN>"
$appname = "<Your App's display name>"
$spo = Get-AzureADServicePrincipal -Filter "Displayname eq '$appname'"
$user = Get-AzureADUser -ObjectId $username
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $spo.ObjectId -Id $spo.Approles[1].id
This cmdlet assigns to the specified user the application role of which the Id is specified with $spo.Approles[1].id. please refer to the description of the -Id parameter for more information on how to retrieve application roles for an application.
Parameters
-Id
The ID of the app role to assign. Provide an empty guid when creating a new app role assignement for an application that does not have any roles, or the Id of the role to assign to the user.
You can retrieve the application's roles by examining the application object's AppRoles property:
Get-AzureadApplication -SearchString "Your Application display name" | select Approles | Fl
This cmdlet returns the list of roles that are defined in an application:
AppRoles : {class AppRole { AllowedMemberTypes: System.Collections.Generic.List1[System.String] Description: <description for this role> DisplayName: <display name for this role> Id: 97e244a2-6ccd-4312-9de6-ecb21884c9f7 IsEnabled: True Value: <Value that will be transmitted as a claim in a token for this role> } }
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-InformationAction
Specifies how this cmdlet responds to an information event. The acceptable values for this parameter are:
- Continue
- Ignore
- Inquire
- SilentlyContinue
- Stop
- Suspend
Parameter properties
| Type: | ActionPreference |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | infa |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-InformationVariable
Specifies an information variable.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | iv |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-ObjectId
Specifies the ID of the user (as a UPN or ObjectId) in Azure AD to which the new app role is to be assigned
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-PrincipalId
The object ID of the principal to which the new app role is assigned. When assigning a new role to a user provide the object ID of the user.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-ResourceId
The object ID of the Service Principal for the application to which the user role is assigned.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Notes
See the migration guide for New-AzureADUserAppRoleAssignment to the Microsoft Graph PowerShell.