Adding users in Azure AD public client app

Question

I am trying to enable users logging in through Azure device code flow for a public Azure AD App.

I think the exception I am getting is quite straight-forward:

In my Azure AD Portal there is no option for adding Users/Groups (Azure AD->Enterprise Applications) unlike the Web apps however there is an option to enable User Assignment(which is what I want to achieve) which makes it more weird because it says If this option is set to yes, then users must first be assigned to this application before being able to access it.

How to assign users to the application if there is no option to do it from the AD portal? [ Azure documentation here ]

Answer 1

There are two options:

1.Navigate to the app registration in the portal -> Authentication -> set the Treat application as a public client to No -> go to the corresponding enterprise application -> Users and groups -> add the user -> go back to set the Treat application as a public client to Yes.

2.You can use the azure powershell New-AzureADUserAppRoleAssignment to add the user directly.

Assign a user to an application without roles:

New-AzureADUserAppRoleAssignment -ObjectId "<user objectid>" -PrincipalId "<user objectid>" -ResourceId "<service principal objectid(i.e. Enterprise Application objectid)>" -Id ([Guid]::Empty)

Assign a user to a specific app role within an application:

$username = "<You user's UPN>"
$app_name = "<Your App's display name>"
$app_role_name = "<App role display name>"

# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }

#Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id