Trying to find Azure CLI Equivalent of New-AzureADGroupAppRoleAssignment

Question

I've found a PowerShell script that allows for modifying an AzureAD Group AppRole Assignment, but can't figure out what the equivalent Azure CLI command would be. I will be running these scripts on Linux hosts, so I'd prefer to not go the route of installing PowerShell on these hosts, and instead rely on the Azure CLI directly.

The background for this "task" is to be able to dynamically update an App Registration with additional roles/groups. I'm able to update the appRoles for the AppRegistration via the az rest commands, but haven't found a way to convert the last step from PowerShell cmdlets.

The command I'm struggling with:

New-AzureADGroupAppRoleAssignment -ObjectId $myGroup.ObjectId -PrincipalId $myGroup.ObjectId -ResourceId $servicePolicy.ObjectId -Id $myUniqueId

Any help/suggestions are appreciated!

Answer 1

There is no built-in command in Azure CLI, your option is to use az rest call the Microsoft Graph - Grant an appRoleAssignment to a group.

Sample:

az rest --method POST --uri 'https://graph.microsoft.com/v1.0/groups/<object-id of the group>/appRoleAssignments' --headers 'Content-Type=application/json' --body '{"principalId": "principalId-value","resourceId": "resourceId-value","appRoleId": "appRoleId-value"}'

The meanings of the values used:

Test result:

Answer 2

To add a role assignment for a group, use az role assignment create.

Firstly, get your azure ad group object Id.

az ad group show --group "joeyadgroup"

Then, assign a role to the group with the objectId we get above.

az role assignment create --role "Virtual Machine Contributor" --assignee-object-id xxxxxxxxxxxxxxxxxxxxxxxx

The output is as below: