Script – Bulk Assign Users to Azure AD SaaS Applications

Today we present a convenient PowerShell module which allows management of User Assignments to Azure AD SaaS and Web Applications. This can be quite a task for administrators so this may be a great alternative to manual assignment. Assignments can be made to users and groups, however for long term management I would recommend using Azure AD Premium to carry out operations such as this.


    If we are to assign users to a Saas App: Prepare a CSV with user UPNs populated in a single column headed: UserPrincipalName.
    If we are to assign groups to a Saas App: Prepare a CSV with group ObjectID’s populated in a single column headed: ObjectID.
    Assign a single User/Group access to the SaaS app via the Azure Portal.

How To:

This module leverages the existing Azure AD V2 cmdlets which make use of the Graph API.

To install the module - In PowerShell run:

Install-Module -Name AzureAD


Download the PowerShell Module which will be used to automate the permissions assignment.

Bulk Assignment PowerShell Module

Import the bulkSaaSAppAssignment PowerShell Module:

Import-Module c:\path\bulkSaaSAppAssignment.psm1


Obtain the details of the SaaS Application we would like to assign users permissions to

In PowerShell run:


Login with the credentials of the Global Administrator of the target Azure Active Directory.

Search for the ServicePrincipal which holds permission information for your SaaS Application:

Get-AzureADServicePrincipal -SearchString "salesforce" | fl displayname, objectid

The output will look similar to this:

    DisplayName : Salesforce
    ObjectId    : a119cf6c-1ea1-4447-a160-b195ba36efb7


Obtain information about the RoleID for the assignment operation

We will obtain the roleID which represents the type of role used for the App Assignment. You will need to supply the UPN of a user which already has been assigned access via the Azure Portal and the ObjectID of the ServicePrincipal for the SaaS App obtained earlier:

Get-RoleID -UserPrincipalName -ObjectID a119cf6c-1ea1-4447-a160-b195ba36efb7
    The RoleID is: 073e08e5-5451-4628-82e6-15a9aa569e7c


In some cases the RoleID is not required to assign users access to the App – here the output will be as follows:

    The RoleID is: 00000000-0000-0000-0000-000000000000
    RoleID does not need to be specified for this user-application assignment.


The command Get-GroupRoleID can be used for Group management. It requires the Group ObjectID and the ServicePrincipal ObjectID.

Get-GroupRoleID -Group "group objectID" -ObjectID a119cf6c-1ea1-4447-a160-b195ba36efb7


Assigning Access

In all the following User/Group Assignment commands, provide the file path to the CSV and the ObjectID of the ServicePrincipal of the SaaS app obtained earlier.
In a case where a RoleID was returned from Get-UserRoleID/Get-GroupRoleID, then also provide the RoleID GUID when assigning access to a SaaS App for the following commands with the -RoleID flag.

The CSV requires a single heading: "UserPrincipalName", and all UPNs listed below it.

Bulk assign access to Users:

New-AzureADBulkUserAppAssignment -File "Path to CSV" -ObjectID a119cf6c-1ea1-4447-a160-b195ba36efb7 -RoleID 073e08e5-5451-4628-82e6-15a9aa569e7c


Bulk assign access to Groups

New-AzureADBulkGroupAppAssignment -File "Path to CSV" -ObjectID b9c12220-93af-433b-89dc-f441e79f2470


Bulk remove access to Users

Remove-AzureADBulkUserAppAssignment -File "Path to CSV" -ObjectID a119cf6c-1ea1-4447-a160-b195ba36efb7


Bulk remove access to Groups

Remove-AzureADBulkGroupAppAssignment -File "Path to CSV" -ObjectID b9c12220-93af-433b-89dc-f441e79f2470


This work has been built from the experience of my colleague James Evans and Dushyant Gill from the engineering team who initially blogged in regards to Azure AD Graph API and SaaS App user assignment scripts.

Hopefully this will quickly facilitate the requirement of assigning users/groups to an Azure AD SaaS Application. However, for long term management and automation we should be using dynamic assignment based on group membership which requires Azure AD Premium.

Comments (1)
  1. Andy Yuen says:

    Hi Jas,
    Is this module bulkSaaSAppAssignment.psm1 still available for download? I could not find it even for release

Comments are closed.

Skip to main content