Assign Users to Azure AD Application with PowerShell

Azure AD Enterprise Applications are a great way to connect third-party applications to your Azure Active Directory. Depending on your Azure AD plan you can assign either single users to an application or complete groups.

With Azure AD Plan 1 you can only assign users, not groups. So keeping your list with users up-to-date is a hideous task. Every time you add a new user to your Office 365 tenant you will need to add the user to the Azure AD application as well.

Azure AD Application Users

For example, if you want to integrate Jira Cloud with Azure AD. If you have Jira Cloud Access (Atlassian Cloud Access), you can connect it with your Azure Active Directory so that new users are automatically added to Jira.

Add users to Azure AD Application with PowerShell

To automatically assign new users to enterprise applications, we need to know the existing users and all the licensed users in our tenant.

Getting licensed users is easier with Msol services, but I want to run this scrip in an Azure Runbook. Authenticating Azure AD is a lot easier (and more convinient) then Msol services.

If you want to know more about getting started with Azure Runbooks or Authentication in Runbooks, then make sure you read this article.

We are going to need the object id of the Azure AD Enterprise Application, the service principal to be exact. To get this, we can simply filter the AzureADServicePrincipal on the name of the application.

# Connect to Azure AD

# Get the service principal for the app you want to assign the user to
$servicePrincipal = Get-AzureADServicePrincipal -Filter "Displayname eq 'APPLICATION-NAME'"

With the servicePrincial we can get all the user that have been assigned a role to the application:

# Get all users that are already assigned to the application
$existingUsers = Get-AzureADServiceAppRoleAssignment -all $true -ObjectId $servicePrincipal.Objectid | select -ExpandProperty PrincipalId

We only want to add Office 365 users that have a license. If we don’t filter it, we will also get guest accounts for example.

# Get all licensedUsers
$licensedUsers = Get-AzureADUser -all $true | Where-Object {$_.AssignedLicenses} | Select displayname,objectid

Next step is to compare the both lists that we have to get all the new users that we need to add:

# Compare lists
$newUsers = $licensedUsers | Where-Object { $_.ObjectId -notin $existingUsers }

So we now have a list of new users that are not assigned to the application. We can simply process this list and assign them a new role to the Azure AD Enterprise application:

ForEach ($user in $newUsers) {
  Try {
    New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id $servicePrincipal.Approles[0].id -ErrorAction Stop

        UserPrincipalName = $user.displayname
        AppliciationAssigned = $true
  catch {
        UserPrincipalName = $user.displayname
        AppliciationAssigned = $false

I always try to use a try-catch block and output the results to a custom object. This way we can easily see what the script has done.

Wrapping Up

I have used this script in an Azure Runbook. You can find the complete script here at my Github that you can use in a runbook. Authentication is based on the Run As account of the Azure Automation account. You can find more info about that here.

If you have any questions, just drop a comment below.

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

Leave a Comment