Unable to add roles via PowerShell to Azure App Registration

Question

I am using Powershell to add roles to an existing App Registration in Azure. I am using this command:

Set-AzureADApplication -ObjectId $myApp.ObjectId -AppRoles $newAppRoles

$newAppROles is an array of Microsoft.Open.AzureAD.Model.AppRole

When I execute the above command I get this error:

Set-AzureADApplication : Cannot convert 'System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.AppRole]' to the type 'Microsoft.Open.AzureAD.Model.AppRole' required by parameter 'AppRoles'. Specified method is not supported.

The documentation for SetAzureADApplication says that it requires a list of the app roles; but I am getting this error. There seems to be no other documentation to help me out. Can someone tell me what I am doing wrong.

Below is the full code

Connect-AzureAD
$myApp = ""
$appName = "Narasimham POC Powershell - Multiple reply URLs"
if (!($myApp = Get-AzureADApplication -Filter "DisplayName eq '$($appName)'"  -ErrorAction SilentlyContinue)) {
    Write-Output "Application $appName not found"
}
else {
    Write-Output $myApp

    $currentAppRoles = $myApp.AppRoles

    $appRole = New-Object -TypeName Microsoft.Open.AzureAD.Model.AppRole
    $appRole.IsEnabled = $true
    $appRole.DisplayName = "Read Role"
    $appRole.Value = "Reader"
    $appRole.AllowedMemberTypes = "User"
    $appRole.Id = New-Guid
    $appRole.Description = "Reader Role for Narasimham POC Powershell"

    $newAppRoles = @($currentAppRoles, $appRole)
    Write-Output $newAppRoles
    Set-AzureADApplication -ObjectId $myApp.ObjectId -AppRoles $newAppRoles
} 

Answer 1

I think the issue is with the part of your script that adds a new role to current roles.

Try to replace this part of script from your question:

$newAppRoles = @($currentAppRoles, $appRole)
Write-Output $newAppRoles
Set-AzureADApplication -ObjectId $myApp.ObjectId -AppRoles $newAppRoles

with something like this instead:

$currentAppRoles.Add($appRole)
Write-Output $currentAppRoles
Set-AzureADApplication -ObjectId $myApp.ObjectId -AppRoles $currentAppRoles

---

Here is the full script I used to answer a very similar SO question earlier, in case this is more helpful for you. This adds a new app role to an existing registered application:

Connect-AzureAD -TenantId <Tenant GUID>

# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
    $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
    $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
    $appRole.AllowedMemberTypes.Add("User");
    $appRole.DisplayName = $Name
    $appRole.Id = New-Guid
    $appRole.IsEnabled = $true
    $appRole.Description = $Description
    $appRole.Value = $Name;
    return $appRole
}

# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
$appRoles = $app.AppRoles
Write-Host "App Roles before addition of new role.."
Write-Host $appRoles

$newRole = CreateAppRole -Name "MyNewApplicationRole" -Description "This is my new Application Role"
$appRoles.Add($newRole)

Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles

Once you are done with above script to add AppRole, then assigning roles to a user is pretty simple and a direct command is available. Here's a sample script for that -

# Assign the values to the variables
$username = "<You user's UPN>"
$app_name = "<Your App's display name>"
$app_role_name = "<App role display name>"

# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }

# Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id