2

I'd like to know how to have a ServicePrincipal in Azure AD that will be able to alter app registrations that it doesn't own, like remove an app or rotate its keys. I was told that if SP has "Application administrator" role then it should have enough permissions to do so.

So how would I be able to achieve this in Powershell?

Kiryl
  • 1,416
  • 9
  • 21

1 Answers1

1

I think you are looking for the Add-AzureADDirectoryRoleMember PowerShell cmdlet.

Here is an example:

# Fetch role instance
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Application Administrator'}

# If role instance does not exist, instantiate it based on the role template
if ($role -eq $null) {
    # Instantiate an instance of the role template
    $roleTemplate = Get-AzureADDirectoryRoleTemplate | Where-Object {$_.displayName -eq 'Application Administrator'}
    Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId

    # Fetch role
    $role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Application Administrator'}
}

# Add the SP to role
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId  -RefObjectId <ObjectID of your SP>
Tomas Aschan
  • 58,548
  • 56
  • 243
  • 402
Martin Brandl
  • 56,134
  • 13
  • 133
  • 172
  • "Get-AzureADDirectoryRole" command has returned 4 roles only - "Directory Readers", "Device Managers", " Directory Writers", "Company Administrator". No "Application Administrator". – Kiryl Aug 02 '18 at 12:02
  • Then you have to enable the AzureAdDirectory Role first. I edited my answer and fixed the link to the documentation (where you will find additional information). – Martin Brandl Aug 02 '18 at 12:08
  • 1
    Nice! It's worked out! One thing though, please, fix your answer by adding a missing single quote around Application Administrator. Thank you! – Kiryl Aug 02 '18 at 12:22