PowerShell script to assign users in an on-premise AD group to an Azure Enterprise Application’s Users and Groups

Azure Active Directory administrators who have configured Enterprise Applications for Azure AD SSO would most likely have encountered the limitations of not being able to assign groups when granting access permissions due to not having Azure AD Premium P1 licenses. The cost of Azure AD Premium P1 licenses aren’t very expensive per user but the cost can quickly run up when there are thousands of users in an organization. One of the clients I worked with faced this issue when they decided to move their SaaS applications currently using their ADFS portal for SAML authentication to Azure AD. Their tenant was relatively new but they were keen to get a taste of what Azure AD could provide but quickly realized they would have to fork out additional money for Azure AD Premium P1 to assign groups to a newly created Enterprise Application. Their headcount was in the thousands and the only had Office 365 licenses rather than M365 licenses that included Azure AD Premium P1.

What I recommended as a stop gap (poor man’s solution) was to proceed and assign the users individually to the Enterprise Application as a stop gap until they can get approval to procure the licenses. I would be embarrassed to ask them to manually assign the permissions so I set out to find a script that can automate the process. A bit of lead me to Ruud’s script here: https://lazyadmin.nl/powershell/add-users-to-azure-ad-application-with-powershell/ which was very close to what I wanted, requiring a slight tweak as the client wanted to assign permissions to an on-premise AD group currently synchronized to Azure AD with AD Connect.

The following is what the modified script does:

  1. Connects to Azure AD
  2. Interactively prompts for the Enterprise Application name
  3. Interactively prompts for the on-premise AD group name
  4. Stores the Enterprise Application in a variable
  5. Obtains all the users currently assigned to the Enterprise Application
  6. Obtains all the users in the on-premise AD group
  7. Compares the list of users currently assigned to the Enterprise Application with the on-premise AD group and stores the difference in a variable
  8. If there are no users to be added, exit PowerShell script immediately
  9. Use a loop to assign the users to the Enterprise Application

I’ve included the following screenshots of the Enterprise Application:

image

Note the User and groups configuration to be populated:

image

Note that groups are not available for this tenant because Azure AD Premium P1 licenses are not available:

Groups are not available for assignment due to your Active Directory plan level. You can assign individual users to the application.

image

The script is pasted below and also available at my following GitHub repo: https://github.com/terenceluk/Azure/blob/main/PowerShell/EnterpriseApps-Permissions.ps1

If automation is required, this script can be used in a Runbook or Azure Function to automate the process.

image

<#

Refer to the following documents for the source of where this script is derived from and the PowerShell cmdlets used:

Assign Users to Azure AD Application with PowerShell

Assign Users to Azure AD Application with PowerShell

New-AzureADUserAppRoleAssignment

https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureaduserapproleassignment?view=azureadps-2.0

Get-AzureADUser

https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureaduser?view=azureadps-2.0

Get-AzureADGroupMember

https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureadgroupmember?view=azureadps-2.0

#>

# Import AzureAD module with -UseWindowsPowerShell switch for PowerShell 7

# Import-Module AzureAD -UseWindowsPowerShell

# Connect to Azure AD

Connect-AzureAD

#Hardcode Enterprise Application name and on-premise AD group name

# $enterpriseAppName = “MetaCompliance User Provisioning”

# $onPremiseADgroup = “All_Staff”

# Prompt input for Enterprise Application name and on-premise AD group name

$enterpriseAppName = Read-Host “Please type the Enterprise Application Name”

$onPremiseADgroup = Read-Host “Please type the On-Premise AD Group Name”

# Get the service principal for the Enterprise Application you want to assign the user to

$servicePrincipal = Get-AzureADServicePrincipal -Filter “Displayname eq ‘$enterpriseAppName'”

## Use this cmdlet to list the roles available for this Enterprise App: Get-AzureadApplication -SearchString $enterpriseAppName | select Approles | Fl

## Use this cmdlet to list the specific role $servicePrincipal.Approles[0].id

# Get all users that are already assigned to the application

$existingUsers = Get-AzureADServiceAppRoleAssignment -all $true -ObjectId $servicePrincipal.Objectid | Select-Object -ExpandProperty PrincipalId

# Get all users from on-prem AD group

$allUsers = Get-AzureADGroup -Filter “DisplayName eq ‘$onPremiseADgroup'” -All $true | Get-AzureADGroupMember -All $true | Select-Object displayname,objectid

# Compare list of users from the on-premise AD group and list of users already assigned default permissions to the Enterprise Application

$newUsers = $allUsers | Where-Object { $_.ObjectId -notin $existingUsers }

# Check to see if there are any new users to add and if there isn’t, terminate the script now rather than attempting the loop

if ($newUsers.count -eq 0) {

Exit

}

ForEach ($user in $newUsers) {

Try {

## Note that the Id parameter specifies app because this application has two defined roles

# If multiple roles does not exist then use: -Id ([Guid]::Empty) instead of -Id $servicePrincipal.Approles[0].id

# Use this cmdlet to display the available roles: Get-AzureadApplication -SearchString $enterpriseAppName | select Approles | Fl

New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id $servicePrincipal.Approles[0].id -ErrorAction Stop

[PSCustomObject]@{

UserPrincipalName = $user.displayname

AppliciationAssigned = $true

}

}

catch {

[PSCustomObject]@{

UserPrincipalName = $user.displayname

AppliciationAssigned = $false

}

}

}

2 Responses

  1. Thank you a lot for providing this beautiful PS script.

    Unfortunately I'm only able to add 100 users from my on-premise AD group to my Enterprise Application.
    Do you know why?

    The Enterprise Application users are shown as Object Type "User" so the limit "A maximum of 100 users and service principals can be owners of a single application" shouldn't apply.