Today we present a convenient PowerShell module which allows management of User Assignments to Azure AD SaaS and Web Applications. This can be quite a task for administrators so this may be a great alternative to manual assignment. Assignments can be made to users and groups, however for long term management I would recommend using Azure AD Premium to carry out operations such as this.
- If we are to assign users to a Saas App: Prepare a CSV with user UPNs populated in a single column headed: UserPrincipalName.
If we are to assign groups to a Saas App: Prepare a CSV with group ObjectID’s populated in a single column headed: ObjectID.
Assign a single User/Group access to the SaaS app via the Azure Portal.
This module leverages the existing Azure AD V2 cmdlets which make use of the Graph API.
To install the module - In PowerShell run:
Install-Module -Name AzureAD
Download the PowerShell Module which will be used to automate the permissions assignment.
Import the bulkSaaSAppAssignment PowerShell Module:
Obtain the details of the SaaS Application we would like to assign users permissions to
In PowerShell run:
Login with the credentials of the Global Administrator of the target Azure Active Directory.
Search for the ServicePrincipal which holds permission information for your SaaS Application:
Get-AzureADServicePrincipal -SearchString "salesforce" | fl displayname, objectid
The output will look similar to this:
- DisplayName : Salesforce
ObjectId : a119cf6c-1ea1-4447-a160-b195ba36efb7
Obtain information about the RoleID for the assignment operation
We will obtain the roleID which represents the type of role used for the App Assignment. You will need to supply the UPN of a user which already has been assigned access via the Azure Portal and the ObjectID of the ServicePrincipal for the SaaS App obtained earlier:
Get-RoleID -UserPrincipalName email@example.com -ObjectID a119cf6c-1ea1-4447-a160-b195ba36efb7
- The RoleID is: 073e08e5-5451-4628-82e6-15a9aa569e7c
In some cases the RoleID is not required to assign users access to the App – here the output will be as follows:
The RoleID is: 00000000-0000-0000-0000-000000000000
RoleID does not need to be specified for this user-application assignment.
Get-GroupRoleID can be used for Group management. It requires the Group ObjectID and the ServicePrincipal ObjectID.
Get-GroupRoleID -Group "group objectID" -ObjectID a119cf6c-1ea1-4447-a160-b195ba36efb7
In all the following User/Group Assignment commands, provide the file path to the CSV and the ObjectID of the ServicePrincipal of the SaaS app obtained earlier.
In a case where a RoleID was returned from Get-UserRoleID/Get-GroupRoleID, then also provide the RoleID GUID when assigning access to a SaaS App for the following commands with the
The CSV requires a single heading: "UserPrincipalName", and all UPNs listed below it.
Bulk assign access to Users:
New-AzureADBulkUserAppAssignment -File "Path to CSV" -ObjectID a119cf6c-1ea1-4447-a160-b195ba36efb7 -RoleID 073e08e5-5451-4628-82e6-15a9aa569e7c
Bulk assign access to Groups
New-AzureADBulkGroupAppAssignment -File "Path to CSV" -ObjectID b9c12220-93af-433b-89dc-f441e79f2470
Bulk remove access to Users
Remove-AzureADBulkUserAppAssignment -File "Path to CSV" -ObjectID a119cf6c-1ea1-4447-a160-b195ba36efb7
Bulk remove access to Groups
Remove-AzureADBulkGroupAppAssignment -File "Path to CSV" -ObjectID b9c12220-93af-433b-89dc-f441e79f2470
This work has been built from the experience of my colleague James Evans and Dushyant Gill from the engineering team who initially blogged in regards to Azure AD Graph API and SaaS App user assignment scripts.
Hopefully this will quickly facilitate the requirement of assigning users/groups to an Azure AD SaaS Application. However, for long term management and automation we should be using dynamic assignment based on group membership which requires Azure AD Premium.