0

I am building an application which uses role based access and have created custom app roles in Azure App Registration and have also assigned some users with roles in Enterprise Application. My Question is, can we do the removal & assignment of these custom app role to users via the application instead of using Azure?

I've tried using Microsoft Graph API to solve this problem. In the frontend(React) I was making Graph API calls to achieve this & is working fine. But it requires "AppRoleAssignment.ReadWrite.All" permission to be enabled which seems so high level for the task I'm doing since it can assign any roles(custom or AAD roles) to any users, application and doesn't feel secure to give this scope to my end users even though only admin role would be performing this task. Is there any better way to implement this. Also is there a way to assign one of the custom roles as default to new users?. Appreciate the help!

ezcoth
  • 31
  • 3

1 Answers1

1

I tried to reproduce the same in my environment to assign App roles to the user using Powershell.

You can fetch user Object ID and Application Object Id by following the steps.

User Object ID:

Go to Azure Portal > Azure Active Directory > Users > Select the user .

enter image description here

Application Object Id:

Go to Azure Portal > Azure Active Directory > Enterprise applications > Select your app

enter image description here

Powershell Script:

Connect-AzureAD
$user = Get-AzureADUser -ObjectId "userobjectID"
$servicePrincipal = Get-AzureADServicePrincipal -ObjectId "AppobjectID"
$role = $app.AppRoles | Where-Object {$_.DisplayName -eq "Reader"}
#Check Approle ID
$role.Id
New-AzureADUserAppRoleAssignment -ObjectId "userobjectID" -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id "ApproleID"
 Remove-AzureADUserAppRoleAssignment -ObjectId "userobjectId" -AppRoleAssignmentId "ApprolID"

Response:

enter image description here

Once ran the above code app role are added to the application as below.

enter image description here

Also is there a way to assign one of the custom roles as default to new users?

Created Dynamic Group for assigning app roles to the user, when the new user is onboarded.

Go to Azure Portal > Azure Active Directory > Groups > New Group .

enter image description here

Once create the group, assign the app role to the user as below.

Go to Azure Portal > Azure Active Directory > Enterprise applications > All applications > Select your application

enter image description here

Reference: New-AzureADUserAppRoleAssignment & Remove-AzureADUserAppRoleAssignment

Venkat V
  • 2,197
  • 1
  • 1
  • 10
  • Thanks for the solution, but I need a way to perform the same in my application either from backend or frontend. Is there any other way to achieve this? Also thanks for pointing out the dynamic group. – ezcoth Feb 27 '23 at 14:02