Assign Users to Azure AD Application with PowerShell

Azure AD Enterprise Applications are a great way to connect third-party applications to your Azure Active Directory. Depending on your Azure AD plan you can assign either single users to an application or complete groups.

With Azure AD Plan 1 you can only assign users, not groups. So keeping your list with users up-to-date is a hideous task. Every time you add a new user to your Office 365 tenant you will need to add the user to the Azure AD application as well.

Azure AD Application Users

For example, if you want to integrate Jira Cloud with Azure AD. If you have Jira Cloud Access (Atlassian Cloud Access), you can connect it with your Azure Active Directory so that new users are automatically added to Jira.

Add users to Azure AD Application with PowerShell

To automatically assign new users to enterprise applications, we need to know the existing users and all the licensed users in our tenant.

Getting licensed users is easier with Msol services, but I want to run this script in an Azure Runbook. Authenticating Azure AD is a lot easier (and more convenient) than Msol services.

Tip

If you want to know more about getting started with Azure Runbooks or Authentication in Runbooks, then make sure you read this article.

We are going to need the object id of the Azure AD Enterprise Application, the service principal to be exact. To get this, we can simply filter the AzureADServicePrincipal on the name of the application.

# Connect to Azure AD
Connect-AzureAD

# Get the service principal for the app you want to assign the user to
$servicePrincipal = Get-AzureADServicePrincipal -Filter "Displayname eq 'APPLICATION-NAME'"

With the servicePrincial we can get all the users that has been assigned a role to the application:

# Get all users that are already assigned to the application
$existingUsers = Get-AzureADServiceAppRoleAssignment -all $true -ObjectId $servicePrincipal.Objectid | select -ExpandProperty PrincipalId

We only want to add Office 365 users that have a license. If we don’t filter it, we will also get guest accounts for example.

# Get all licensedUsers
$licensedUsers = Get-AzureADUser -all $true | Where-Object {$_.AssignedLicenses} | Select displayname,objectid

The next step is to compare both lists that we have to get all the new users that we need to add:

# Compare lists
$newUsers = $licensedUsers | Where-Object { $_.ObjectId -notin $existingUsers }

So we now have a list of new users that are not assigned to the application. We can simply process this list and assign them a new role to the Azure AD Enterprise application:

ForEach ($user in $newUsers) {
  Try {
    New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id $servicePrincipal.Approles[0].id -ErrorAction Stop

    [PSCustomObject]@{
        UserPrincipalName = $user.displayname
        AppliciationAssigned = $true
    }
  }
  catch {
    [PSCustomObject]@{
        UserPrincipalName = $user.displayname
        AppliciationAssigned = $false
    }
  }
}

I always try to use a try-catch block and output the results to a custom object. This way we can easily see what the script has done.

Wrapping Up

I have used this script in an Azure Runbook. You can find the complete script here at my Github that you can use in a runbook. Authentication is based on the Run As account of the Azure Automation account. You can find more info about that here.

If you have any questions, just drop a comment below.

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

15 thoughts on “Assign Users to Azure AD Application with PowerShell”

    • Only the authentication part. So remove


      # Get the service principal connection details
      $spConnection = Get-AutomationConnection -Name AzureRunAsConnection

      # Connect AzureAD
      # Check if Azure is installed and connect
      if ((Get-Module -ListAvailable -Name AzureAd) -ne $null)
      {
      Connect-AzureAD -TenantId $spConnection.TenantId -ApplicationId $spConnection.ApplicationID -CertificateThumbprint $spConnection.CertificateThumbprint | Out-null
      }else{
      Write-Error "Please install AzureAd."
      }

      And just log in manually to azure ad

      • Thank you for your insight into this! This simple script will save our client thousands in Azure licensing costs.

        I used a runbook just like you recommended and it works great.

        What part would I have to change to assign new users to a Microsoft Team automatically in the same way?

        Thanks!

    • If Get-AzureADServiceAppRoleAssignment also returns the group PrincipalId’s then you should be able to compare that against a CSV list with Import-CSV. Maybe combine it with Get-AzureADGroup to get the group object id.

  1. Hi Rudy,

    Thanks for this guide. This is really helpful. But I’m just wondering how can we assign from .csv file?

    • Replace the $licensedUsers with :


      # Or use CSV File
      $csvUsers = Import-Csv -Path C:\temp\azuread.csv

      $users = @()
      $csvUsers | ForEach {
      $name = $_.name
      $users += Get-AzureADUser -Filter "DisplayName eq '$name'" | select ObjectId
      }

      And then compare:

      # Compare lists
      $newUsers = $users | Where-Object { $_.ObjectId -notin $existingUsers }

  2. Here is another scenario I am wondering about. What are the possibilities currently for automating the provisioning of an Azure AD account FROM a Jira ticket? (eg., HR creates a request for new employee onboarding and a new user must be created in Azure AD).

  3. Hi,

    can you help me to assign only Users with E3 Licenses to one of the Azure Enterprise Applications?
    With this command I can get my Users with E3 Licencse:
    Get-MsolUser | Where-Object {($_.licenses).AccountSkuId -match “ENTERPRISEPACK”}

    Thanks
    Max

    • You can simply replace this line with:
      $licensedUsers = Get-AzureADUser -all $true | Where-Object {$_.AssignedLicenses} | Select displayname,objectid
      # Replace with
      Get-MsolUser | Where-Object {($_.licenses).AccountSkuId -match “ENTERPRISEPACK”} | Select displayname,objectid

  4. Hi,

    exactly what I looked for. So with a Azure AD Plan 1 only there is no other way than Powershell to automate user assignment e.g. via Azure AD configuration?

    Thanks Mario

Leave a Comment

0 Shares
Tweet
Pin
Share
Share