Skip to main content
Version: v1.4.0

Azure Active Directory

Installation

To have access to the following features, you have to import the module:

PS> Install-Module -Name Arcus.Scripting.ActiveDirectory

Access Rights to Azure Active Directory

To interact with Azure Active Directory these scripts use the Microsoft.Graph.Applications module, import this module:

PS> Install-Module -Name Microsoft.Graph.Applications

After importing this module, make sure you are connected to Microsoft Graph with the following scopes:

PS> Connect-MgGraph -Scopes "Application.ReadWrite.All,AppRoleAssignment.ReadWrite.All"

Listing the Roles and Role Assignments for an Azure Active Directory Application

Lists the roles and role assignments for an Azure Active Directory Application.

ParameterMandatoryDescription
ClientIdyesThe client ID of the Azure Active Directory Application Registration for which the roles and assignments are retrieved.
RolesAssignedToClientIdnoThe client ID of the Azure Active Directory Application Registration to which roles have been assigned, used when you only want to retrieve the assignments for this specific application.

Example

Retrieving all information for a Client Id.

PS> List-AzADAppRoleAssignments `
-ClientId "b885c208-6067-44bd-aba9-4010c62b7d85"
#Found role 'FirstRole' on Active Directory Application 'main-application'
#Role 'FirstRole' is assigned to the Active Directory Application 'client-application-one' with ID '6ea09bbd-c21c-460c-b58a-f4a720f51826'
#Role 'FirstRole' is assigned to the Active Directory Application 'client-application-two' with ID 'ebafc99d-cbf4-4bd2-9295-f2b785cfc1a1'
#Found role 'SecondRole' on Active Directory Application 'arcus-scripting-test-main'
#Role 'SecondRole' is assigned to the Active Directory Application 'client-application-one' with ID '6ea09bbd-c21c-460c-b58a-f4a720f51826'

Retrieving all information for a Client Id and a specific role.

PS> List-AzADAppRoleAssignments `
-ClientId 'b885c208-6067-44bd-aba9-4010c62b7d85' `
-RolesAssignedToClientId '6ea09bbd-c21c-460c-b58a-f4a720f51826'
#Found role 'FirstRole' on Active Directory Application 'main-application'
#Role 'FirstRole' is assigned to the Active Directory Application 'client-application-one' with id '6ea09bbd-c21c-460c-b58a-f4a720f51826'
#Found role 'SecondRole' on Active Directory Application 'main-application'
#Role 'SecondRole' is assigned to the Active Directory Application 'client-application-one' with id '6ea09bbd-c21c-460c-b58a-f4a720f51826'

Add a Role and Assignment for an Azure Active Directory Application

Adds a role assignment for an Azure Active Directory Application. The role will be added to the Azure Active Directory Application Registration defined by the ClientId parameter, and a role assignment for this role will be added to the Azure Active Directory Application Registration defined by the AssignRoleToClientId parameter.

ParameterMandatoryDescription
ClientIdyesThe client ID of the Azure Active Directory Application Registration to which the role will be added if not present.
RoleyesThe name of the role.
AssignRoleToClientIdyesThe client ID of the Azure Active Directory Application Registration for which the role assignment will be created. The role assignment will be created based on the role added to the Azure Active Directory Application Registration defined by the ClientId.

Example

PS> Add-AzADAppRoleAssignment `
-ClientId "b885c208-6067-44bd-aba9-4010c62b7d85" `
-Role "DummyRole" `
-AssignRoleToClientId "6ea09bbd-c21c-460c-b58a-f4a720f51826"
#Active Directory Application 'main-application' does not contain the role 'DummyRole', adding the role
#Added Role 'DummyRole' to Active Directory Application 'main-application'
#Role Assignment for the role 'DummyRole' added to the Active Directory Application 'client-application-one'

Remove a Role and Assignment from an Azure Active Directory Application

Removes a role assignment for an Azure Active Directory Application.

ParameterMandatoryDescription
ClientIdyesThe client ID of the Azure Active Directory Application Registration containing the role for which the assignment must be removed.
RoleyesThe name of the role.
RemoveRoleFromClientIdyesThe client ID of the Azure Active Directory Application Registration for which the role assignment will be removed.
RemoveRoleIfNoAssignmentsAreLeftnoIndicate whether to remove the role from the Azure Active Directory Application Registration defined by the ClientId parameter when no more role assignments remain for the role.

Example

Removes a role assignment.

PS> Remove-AzADAppRoleAssignment `
-ClientId "b885c208-6067-44bd-aba9-4010c62b7d85" `
-Role "DummyRole" `
-RemoveRoleFromClientId "6ea09bbd-c21c-460c-b58a-f4a720f51826" `
#Role assignment for 'DummyRole' has been removed from Active Directory Application 'client-application-one'

Removes a role assignment and removes the fole if no assignments are left on the role.

PS> Remove-AzADAppRoleAssignment `
-ClientId "b885c208-6067-44bd-aba9-4010c62b7d85" `
-Role "DummyRole" `
-RemoveRoleFromClientId "6ea09bbd-c21c-460c-b58a-f4a720f51826" `
-RemoveRoleIfNoAssignmentsAreLeft
#Role assignment for 'DummyRole' has been removed from Active Directory Application 'client-application-one'
#Role 'DummyRole' on Active Directory Application 'main-application' has been disabled as no more role assignments were left and the option 'RemoveRoleIfNoAssignmentsAreLeft' is set
#Role 'DummyRole' removed from Active Directory Application 'main-application' as no more role assignments were left and the option 'RemoveRoleIfNoAssignmentsAreLeft' is set