# Assign the values to the variables$username = "<Your user's UPN>"$app_name = "<Your App's display name>"$app_role_name = "<App role display name>"# Get the user to assign, and the service principal for the app to assign to$user = Get-AzureADUser -ObjectId"$username"$sp = Get-AzureADServicePrincipal -Filter"displayName eq '$app_name'"$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq$app_role_name }
# Assign the user to the app roleNew-AzureADUserAppRoleAssignment -ObjectId$user.ObjectId -PrincipalId$user.ObjectId -ResourceId$sp.ObjectId -Id$appRole.Id
範例
此範例會使用 PowerShell 將使用者 Britta Simon 指派給 Microsoft 工作場所分析應用程式。
# Store the proper parameters$user = get-azureaduser -ObjectId <objectId>
$spo = Get-AzureADServicePrincipal -ObjectId <objectId>
#Get the ID of role assignment $assignments = Get-AzureADServiceAppRoleAssignment -ObjectId$spo.ObjectId | Where {$_.PrincipalDisplayName -eq$user.DisplayName}
#if you run the following, it will show you what is assigned what$assignments | Select *
#To remove the App role assignment run the following command.Remove-AzureADServiceAppRoleAssignment -ObjectId$spo.ObjectId -AppRoleAssignmentId$assignments[assignment number].ObjectId
使用 Azure AD PowerShell 移除指派給應用程式的所有使用者
開啟提高權限的 Windows PowerShell 命令提示字元。
使用下列指令碼來移除指派給應用程式的所有使用者和群組。
PowerShell
#Retrieve the service principal object ID.$app_name = "<Your App's display name>"$sp = Get-AzureADServicePrincipal -Filter"displayName eq '$app_name'"$sp.ObjectId
# Get Service Principal using objectId$sp = Get-AzureADServicePrincipal -ObjectId"<ServicePrincipal objectID>"# Get Azure AD App role assignments using objectId of the Service Principal$assignments = Get-AzureADServiceAppRoleAssignment -ObjectId$sp.ObjectId -All$true# Remove all users and groups assigned to the application$assignments | ForEach-Object {
if ($_.PrincipalType -eq"User") {
Remove-AzureADUserAppRoleAssignment -ObjectId$_.PrincipalId -AppRoleAssignmentId$_.ObjectId
} elseif ($_.PrincipalType -eq"Group") {
Remove-AzureADGroupAppRoleAssignment -ObjectId$_.PrincipalId -AppRoleAssignmentId$_.ObjectId
}
}
#Assign the values to the variables$userId = "<Your user's ID>"$app_name = "<Your App's display name>"$app_role_name = "<App role display name>"$sp = Get-MgServicePrincipal -Filter"displayName eq '$app_name'"#Get the user, the service principal and appRole.$params = @{
"PrincipalId" =$userId"ResourceId" =$sp.Id
"AppRoleId" =($sp.AppRoles | Where-Object { $_.DisplayName -eq$app_role_name }).Id
}
#Assign the user to the AppRoleNew-MgUserAppRoleAssignment -UserId$userId -BodyParameter$params |
Format-List Id, AppRoleId, CreationTime, PrincipalDisplayName,
PrincipalId, PrincipalType, ResourceDisplayName, ResourceId
範例
此範例會使用 Microsoft Graph PowerShell,將使用者 Britta Simon 指派給Microsoft工作場所分析應用程式。
# Assign the values to the variables $userId = "<Britta Simon's user ID>"$app_name = "Workplace Analytics"
在此範例中,我們不知道我們想要指派給 Britta Simon 的應用程式角色確切名稱。 執行下列命令,以使用服務主體顯示名稱取得服務主體 ($sp)。
PowerShell
# Get the service principal for the app $sp = Get-MgServicePrincipal -Filter"displayName eq '$app_name'"
執行下列命令來尋找服務主體所公開的應用程式角色。
PowerShell
# Get the app roles exposed by the service principal $appRoles = $sp.AppRoles
# Display the app roles $appRoles | ForEach-Object {
Write-Output"AppRole: $($_.DisplayName) - ID: $($_.Id)"
}
# Assign the values to the variables $app_role_name = "Analyst (Limited access)"$appRoleId = ($sp.AppRoles | Where-Object { $_.DisplayName -eq$app_role_name }).Id
準備參數並執行下列命令,將使用者指派給應用程式角色。
PowerShell
# Prepare parameters for the role assignment $params = @{
"PrincipalId" = $userId"ResourceId" = $sp.Id
"AppRoleId" = $appRoleId
}
# Assign the user to the app role New-MgUserAppRoleAssignment -UserId$userId -BodyParameter$params |
Format-List Id, AppRoleId, CreationTime, PrincipalDisplayName,
PrincipalId, PrincipalType, ResourceDisplayName, ResourceId