0

I hope someone can help..

I have a registered application (TestApp3), with which I connect successfully using: Connect-AzureAD -TenantId $tenant -CertificateThumbprint $thumb -ApplicationId $applicationID

Now once connected, I need to assign users to a different application (TestApp2).

If I use the following command (when connected as Global Admin)

Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Application administrator"}).Objectid -RefObjectId $sp.ObjectId

This will grant the App Admin role to the application TestApp3.

So, the following will work when connected as TestApp3: New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectID -PrincipalId $user.ObjectID -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)

This will add a user to the list of assigned users for the servicePrincipal TestApp2. However, its 'scoped' across the tenant. How do I configure it so TestApp3 can only assign users for the specific app TestApp2?

Thanks..

//A

Andrew Stevens
  • 105
  • 1
  • 2
  • 12

1 Answers1

0

How do I configure it so TestApp3 can only assign users for the specific app TestApp2?

According to this microsoft document assign app owners

Similar to application administrator, an owner has capability to manage many or all azure ad configuration aspects but for a specific organization application (appl registration or enterprise application.) they are assigned to.

They can do user assignments, SSO configuration and provisioning. Owner can even add /remove other owners and can manage the applications that they own only.

Add an owner using powershell cmds.

Connect-AzureAD
Add-AzureADApplicationOwner -ObjectId xxxxxx-xxxx-xxxx3-xxx -RefObjectId xxxx-xxxx-xxx-xxxx-xxxxxxxx
  • ObjectId > object id of the application

References:

  1. assign-application-owners- Azure AD | Microsoft Docs
  2. Add Azure AD Application as owner of another AD Application – LockTar’s Blog
kavyaS
  • 8,026
  • 1
  • 7
  • 19