How to add API permissions to an application registration using either Azure PowerShell or Azure CLI

Question

Attempting to assign a role to an app registration but struggling to identify the suitable command in the AZ module for PowerShell or Azure CLI.

The AzureAD Module command below is functioning as intended:

New-AzureADServiceAppRoleAssignment -ObjectId $resourceObjectId -Id $roleId -PrincipalId $sourceServicePrincipalId -ResourceId $resourceObjectId

However, I'm encountering difficulties migrating the above-mentioned command to a new module. I'm uncertain about which scope to specify for the new commands, leading to issues in the migration process.

Kindly someone help here

I Need help to Migrate above command to Azure CLI / AZ module powershell script.

Answer 1

I have created one App role named tasks.read with below properties:

Now, I ran below Az PowerShell command to assign this App role API permission to an application registration:

Add-AzADAppPermission -ApplicationId $sourceAppId -ApiId $resourceappId -PermissionId $roleId -Type Role
Get-AzADAppPermission -ApplicationId $sourceAppId

Response:

When I checked the same in Portal, API permission added successfully under app registration like this:

To do the same via Azure CLI, you can make use of below command:

az ad app permission add --id <sourceAppObjId> --api <resourceAppId> --api-permissions <roleId>=Role --only-show-errors

Response:

If you are getting "Insufficient privileges" error, make sure to assign at least Application Administrator Entra role to your user under directory like this:

Go to Azure Portal -> Microsoft Entra ID -> Roles and administrators -> All roles -> Select role -> Add assignment

Reference:

Add-AzADAppPermission (Az.Resources) | Microsoft Learn