Script - Bulk Assign Users to Azure AD SaaS Applications


Today we present a convenient PowerShell module which allows management of User Assignments to Azure AD SaaS and Web Applications. This can be quite a task for administrators so this may be a great alternative to manual assignment. Assignments can be made to users and groups, however for long term management I would recommend using Azure AD Premium to carry out operations such as this.

Pre-Requisites

    If we are to assign users to a Saas App: Prepare a CSV with user UPNs populated in a single column headed: UserPrincipalName.
    If we are to assign groups to a Saas App: Prepare a CSV with group ObjectID’s populated in a single column headed: ObjectID.
    Assign a single User/Group access to the SaaS app via the Azure Portal.

How To:

This module leverages the existing Azure AD Preview V2 cmdlets which make use of the Graph API.

Before we begin we must install the Azure AD Preview V2 module found at the link here:

To install the module - In PowerShell run:

Install-Module -Name AzureADPreview

 

Download the PowerShell Module which will be used to automate the permissions assignment.

Bulk Assignment PowerShell Module

Import the bulkSaaSAppAssignment PowerShell Module:

Import-Module c:\path\bulkSaaSAppAssignment.psm1

 

Obtain the details of the SaaS Application we would like to assign users permissions to

In PowerShell run:

Connect-AzureAD

Login with the credentials of the Global Administrator of the target Azure Active Directory.

Search for the ServicePrincipal which holds permission information for your SaaS Application:

Get-AzureADServicePrincipal -SearchString "salesforce" | fl displayname, objectid

The output will look similar to this:

    DisplayName : Salesforce
    ObjectId    : a119cf6c-1ea1-4447-a160-b195ba36efb7

 

Obtain information about the RoleID for the assignment operation

We will obtain the roleID which represents the type of role used for the App Assignment. You will need to supply the UPN of a user which already has been assigned access via the Azure Portal and the ObjectID of the ServicePrincipal for the SaaS App obtained earlier:

Get-UserRoleID -UserPrincipalName first.last@contoso.com -ObjectID a119cf6c-1ea1-4447-a160-b195ba36efb7
    The RoleID is: 073e08e5-5451-4628-82e6-15a9aa569e7c

 

In some cases the RoleID is not required to assign users access to the App – here the output will be as follows:

    The RoleID is: 00000000-0000-0000-0000-000000000000
    RoleID does not need to be specified for this user-application assignment.

 

The command Get-GroupRoleID can be used for Group management. It requires the Group ObjectID and the ServicePrincipal ObjectID.

Get-GroupRoleID -Group "group objectID" -ObjectID a119cf6c-1ea1-4447-a160-b195ba36efb7

 

Assigning Access

In all the following User/Group Assignment commands, provide the file path to the CSV and the ObjectID of the ServicePrincipal of the SaaS app obtained earlier.
In a case where a RoleID was returned from Get-UserRoleID/Get-GroupRoleID, then also provide the RoleID GUID when assigning access to a SaaS App for the following commands with the -RoleID flag.

Bulk assign access to Users:

New-AzureADBulkUserAppAssignment -File "Path to CSV" -ObjectID a119cf6c-1ea1-4447-a160-b195ba36efb7 -RoleID 073e08e5-5451-4628-82e6-15a9aa569e7c

 

Bulk assign access to Groups

New-AzureADBulkGroupAppAssignment -File "Path to CSV" -ObjectID b9c12220-93af-433b-89dc-f441e79f2470

 

Bulk remove access to Users

Remove-AzureADBulkUserAppAssignment -File "Path to CSV" -ObjectID a119cf6c-1ea1-4447-a160-b195ba36efb7

 

Bulk remove access to Groups

Remove-AzureADBulkGroupAppAssignment -File "Path to CSV" -ObjectID b9c12220-93af-433b-89dc-f441e79f2470

 

This work has been built from the experience of my colleague James Evans and Dushyant Gill from the engineering team who initially blogged in regards to Azure AD Graph API and SaaS App user assignment scripts.

Hopefully this will quickly facilitate the requirement of assigning users/groups to an Azure AD SaaS Application. However, for long term management and automation we should be using dynamic assignment based on group membership which requires Azure AD Premium.

Comments (0)

Skip to main content