locked
Azure AD Manage Users with PowerShell RRS feed

  • Question

  • Hey,


    I'm syncing users to Azure AD from local Active Directory using Azure AD connect. Sync works fine. I configured it to provide authentication for Google Apps. We have fully automated the user creations in local AD. So i want add followings to our  automation scripts:

    1. Change "ALLOW THE USER TO SIGN IN AND ACCESS SERVICES? " to Block (I don't want users to login to Azure Portal and create VMs or access other services)

    2. Assign user to Google Apps application

    Can I automate these 2 tasks using PowerShell ?

    Appreciate any help.. Thanks! 

    JTech

    Friday, August 5, 2016 11:17 AM

Answers

  • How will users be able to sign in to Google Apps if you've disabled their accounts?

    For the user assignment portion, have you considered using a dedicated group with all users or dynamic group with certain users, and assigning that group to the application? (This would save the effort of having to automate assigning individual users.)

    In any case, if you want to use PowerShell to assign individual users, you can do this with the new preview AzureAD PowerShell cmdlets (example below), or you can do it by manually crafting the REST requests against the Azure AD Graph API.

    First, you need the preview Azure AD PowerShell module: https://www.powershellgallery.com/packages/AzureADPreview (NOTE: This is a *preview*, so it's entirely possible that a future version will have breaking changes.)

    What you will be creating is an AppRoleAssignment. An AppRoleAssignment is a three-way link between a principal (e.g. a user), a resource (e.g. an application), and an app role (or none, if there are no app roles defined).

    # The UserPrincipalName or ObjectId of the user
    $userId = "user@contoso.com"
    
    # The AppId (a.k.a. "client ID") of the app to assign the user to
    $appId = "954ec4e6-0569-426c-9786-21ad34375894"
    
    # Connect to Azure AD
    Connect-AzureAD -Confirm
    
    # Get the user to be added
    $user = Get-AzureADUser -ObjectId $userId
    
    # Get the service principal for the app you would like to assign the user to
    $servicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
    
    # Create the app role assignment
    New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId `
                                     -PrincipalId $user.ObjectId `
                                     -ResourceId $servicePrincipal.ObjectId `
                                     -Id ([Guid]::Empty)
    

    In this example, we're assigning the user to the app without specifying an AppRole (some apps don't have app roles defined). To retrieve the possible AppRole values to be used with the -Id parameter, one would look at the AppRoles property of the ServicePrincipal object.

    Tuesday, August 9, 2016 1:18 PM

All replies

  • Hello,

    We are checking on the query and would get back to you soon on this.

    I apologize for the inconvenience and appreciate your time and patience in this matter.

    Regards,

    Vijisankar

    Saturday, August 6, 2016 9:13 AM
  • How will users be able to sign in to Google Apps if you've disabled their accounts?

    For the user assignment portion, have you considered using a dedicated group with all users or dynamic group with certain users, and assigning that group to the application? (This would save the effort of having to automate assigning individual users.)

    In any case, if you want to use PowerShell to assign individual users, you can do this with the new preview AzureAD PowerShell cmdlets (example below), or you can do it by manually crafting the REST requests against the Azure AD Graph API.

    First, you need the preview Azure AD PowerShell module: https://www.powershellgallery.com/packages/AzureADPreview (NOTE: This is a *preview*, so it's entirely possible that a future version will have breaking changes.)

    What you will be creating is an AppRoleAssignment. An AppRoleAssignment is a three-way link between a principal (e.g. a user), a resource (e.g. an application), and an app role (or none, if there are no app roles defined).

    # The UserPrincipalName or ObjectId of the user
    $userId = "user@contoso.com"
    
    # The AppId (a.k.a. "client ID") of the app to assign the user to
    $appId = "954ec4e6-0569-426c-9786-21ad34375894"
    
    # Connect to Azure AD
    Connect-AzureAD -Confirm
    
    # Get the user to be added
    $user = Get-AzureADUser -ObjectId $userId
    
    # Get the service principal for the app you would like to assign the user to
    $servicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
    
    # Create the app role assignment
    New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId `
                                     -PrincipalId $user.ObjectId `
                                     -ResourceId $servicePrincipal.ObjectId `
                                     -Id ([Guid]::Empty)
    

    In this example, we're assigning the user to the app without specifying an AppRole (some apps don't have app roles defined). To retrieve the possible AppRole values to be used with the -Id parameter, one would look at the AppRoles property of the ServicePrincipal object.

    Tuesday, August 9, 2016 1:18 PM
  • How do you obtain the AppID or client ID of the app?
    Thursday, October 13, 2016 3:35 AM
  • How do I use New-AzureADUserAppRoleAssignment on-premises? Command isn't available not even after updating AzureAD Connect. 
    Thursday, February 23, 2017 1:55 PM