How can I use powershell to assign AD groups to Application Roles in Azure?

Question

My client has AzureAD Premium, so we can assign Groups to Roles
We can script creation of new groups (in their on-premises AD), and adding users to those groups, and syncing the groups to AAD
We can script manipulation of the manifest file
But what I haven't worked out is how to do the "Assign Group to App Role" automatically. Someone has to go into the Azure portal > directory > applications > our app > Users and Groups > find the groups to assign > assign > find the matching role... (rinse and repeat).

The app is essentially sharepoint (external to Azure - we just federate on-premises AD to AAD for A&A to the app) and the groups match roles that restrict access various libraries. Unfortunately my client's business model is quite varied and that means we have a lot of groups to map to a lot of roles.

PowerShell is our scripting admin language of choice.

I have made a bit of progress with Get-AzureAdGroup -SearchString "groupname" which gives me objectId. I can pipe that to Get-AzureAdGroupAppRoleAssignment and that gives me id which matches the GUID from the manifest file. So this all links together, apart from the actual assigning the group to a role.

So, next I started looking at the GraphAPI based on this blog. (The blog was all about bulk adding users to a single specific Role when you don't have AAD Premium).

I have managed to get a small amount of success with GET https://graph.windows.net/[tenant].onmicrosoft.com/servicePrincipals/[app id]/appRoleAssignments?api-version=1.6 but some of my test groups, even though they show up in the Azure Portal as assigned, don't show up in the response to the above REST query. Some do and when I unassign them via the portal they are removed from the response as well. The lack of consistency doesn't give me confidence in my query.

• Are there native powershell cmdlets to do AppRoleAssignments? (this would be my preference over GraphAPI).

• Why the inconsistent results from the GraphAPI?

  Thanks in advance for any pointers

Update
I'm investigating the *-AzureAd* cmdlets (from the AzureADPreview module), but the Microsoft Documentation is a bit light - it is only a preview, but I think they could have better documentation than:

Inputs
The input type is the type of the objects that you can pipe to the cmdlet.

Outputs
The output type is the type of the objects that the cmdlet emits.

These cmdlets do seem to wrap up the GraphAPI REST calls.

Update 2
The AzureADPreview cmdlets are the correct solution.

Connect-AzureAD -TenantId xxxxx-xxxx-xxxx-etc
$app = Get-AzureADServicePrincipal -SearchString "display name of app"

foreach ($AD_group_name in $list_of_names_to_map) {
$AADGroup = Get-AzureADGroup -SearchString $AD_group_name
$AppRole = $App.AppRoles | ?{$_.value -like $AADGroup.DisplayName}

$NewAssignmentParams = @{
'id'          = $AppRole.Id;
'objectid'    = $AADGroup.ObjectId;
'PrincipalId' = $AADGroup.ObjectId;
'ResourceId'  = $App.ObjectId;
}

New-AzureADGroupAppRoleAssignment @NewAssignmentParams

}

Answer 1

Using the new AZ module:

Get-AzADGroup -SearchString "Your azure ad or on prem ad group"

This will generate some info. Copy the Id and then run:

New-AzRoleAssignment -ObjectId 8baabe9f-245e-456b-9bd8-b8c09002df52 -RoleDefinitionName Contributor -ResourceGroupName "Your RG Name"

Answer 2

The module and cmdlets I have describe in my Update 2 is the correct solution.

$NewAssignmentParams = @{
'id'          = $AppRole.Id;
'objectid'    = $AADGroup.ObjectId;
'PrincipalId' = $AADGroup.ObjectId;
'ResourceId'  = $App.ObjectId;
}

New-AzureADGroupAppRoleAssignment @NewAssignmentParams

where
id can be got from the Application's AppRoles property or the manifest file
objectId & principalId are the objectId property of the AD Group being mapped to the role
ResourceId is the Application's objectId property