Programmatically assign users to Azure AD Application using Graph API

You can get the appRoleAssignments of a user via the navigation property when querying the Graph API:

https://graph.windows.net/tenant-id/users/user-id/appRoleAssignments?api-version=1.6

You can create assignments by making an HTTP POST to:

https://graph.windows.net/tenant-id/users/user-id/appRoleAssignments?api-version=1.6

The object that you need to send looks like this:

{  "id": "id-of-role",  "principalId": "objectId-of-user",  "resourceId": "objectId-of-service-principal"}

If your app does not have any roles, but you still want to assign a user, it seems you can just set the id to all zeros:

Where the resource does not declare any permissions, a default id (zero GUID) must be specified.

So something like:

{  "id":"00000000-0000-0000-0000-000000000000",  "resourceId": "a27d8321-3dc6-44a1-bf19-2546a9f2806e",  "principalId": "c4f810b8-2ea1-4580-9595-30275a28c2a2"}

The accepted answer is a bit outdated now.The URL you need is:

https://graph.microsoft.com/v1.0/<tenantID>/users/<userObjectID>/appRoleAssignments

Send a HTTP POST with a content of:

{  "principalId": "<objectId-of-user>",  "resourceId": "<objectId-of-service-principal>",  "principalType": "User",  "appRoleId": "<id of role>"}

The easiest way to test is via the Microsoft Graph Explorer

Or the way im doing it is via bash script, calling the azure cli

cat <<- EOF > roleAssignment.json{  "appRoleId": "${UUID}",  "principalId": "{$USER_ID}",  "principalType": "User",  "resourceId": "${SP}"}EOFaz rest --method post --headers Content-type="application/json" --url "https://graph.microsoft.com/v1.0/${TENANT_ID}/users/${USER_ID}/appRoleAssignments" --body @roleAssignment.json