Programmatically assign users to Azure AD Application using Graph API
You can get the appRoleAssignments
of a user via the navigation property when querying the Graph API:
https://graph.windows.net/tenant-id/users/user-id/appRoleAssignments?api-version=1.6
You can create assignments by making an HTTP POST to:
https://graph.windows.net/tenant-id/users/user-id/appRoleAssignments?api-version=1.6
The object that you need to send looks like this:
{ "id": "id-of-role", "principalId": "objectId-of-user", "resourceId": "objectId-of-service-principal"}
If your app does not have any roles, but you still want to assign a user, it seems you can just set the id to all zeros:
Where the resource does not declare any permissions, a default id (zero GUID) must be specified.
So something like:
{ "id":"00000000-0000-0000-0000-000000000000", "resourceId": "a27d8321-3dc6-44a1-bf19-2546a9f2806e", "principalId": "c4f810b8-2ea1-4580-9595-30275a28c2a2"}
The accepted answer is a bit outdated now.The URL you need is:
https://graph.microsoft.com/v1.0/<tenantID>/users/<userObjectID>/appRoleAssignments
Send a HTTP POST with a content of:
{ "principalId": "<objectId-of-user>", "resourceId": "<objectId-of-service-principal>", "principalType": "User", "appRoleId": "<id of role>"}
The easiest way to test is via the Microsoft Graph Explorer
Or the way im doing it is via bash script, calling the azure cli
cat <<- EOF > roleAssignment.json{ "appRoleId": "${UUID}", "principalId": "{$USER_ID}", "principalType": "User", "resourceId": "${SP}"}EOFaz rest --method post --headers Content-type="application/json" --url "https://graph.microsoft.com/v1.0/${TENANT_ID}/users/${USER_ID}/appRoleAssignments" --body @roleAssignment.json