Implement Azure Role Assignment by AAD Application with Powershell Script

Implement Azure Role Assignment by AAD Application with Powershell Script

Implement Azure Role Assignment by AAD Application with Powershell Script

The requirement come with ask "Having an application(first application) created in AAD and want to use first application to assign roles to a second application created in AAD"

To achieve that goal, Azure active directory admin needs to grant below permission for first application's service principal.
AAD-Perm

Then below script can be used to assign roles to second application for corresponding resource

# INPUT YOUR FIRST APPLICATION ID/SECRET
$creds = Get-Credential

$objId = <YOUR_SECOND_APPLICAITON_ID>
$tenantId = <YOUR_DIRECTORY_ID>
Connect-AzAccount -Credential $creds  -ServicePrincipal -Tenant $tenantId
$spId = (Get-AzADApplication -ObjectId $ojbId | Get-AzADServicePrincipal).Id

New-AzRoleAssignment -ObjectId $spId -RoleDefinitionName Reader -Scope <YOUR_RESOURCE>

Some comments for above script:

  1. New-AzRoleAssignment requires ObjectId as a parameter, however, in AAD, Application Id is not an object id, to get object id, need to run $spId = (Get-AzADApplication -ObjectId $ojbId | Get-AzADServicePrincipal).Id to convert application id to service principal's object id.
  2. $spId = (Get-AzADApplication -ObjectId $ojbId | Get-AzADServicePrincipal).Id will query AAD to map application id to object id, it requires AAD "Read Directory Data" permission, so need AAD admin to give permission to first application.

Share Tweet Send
0 Comments
Loading...
You've successfully subscribed to Unofficial Azure Club
Great! Next, complete checkout for full access to Unofficial Azure Club
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.