Programmatic ways to create App roles in Azure AD

A few weeks back, I wrote a post explaining App roles in Azure AD. In that, we saw how one can create app roles in Azure AD via the UI in the azure portal. This post aims to take it up a notch by looking at a couple of programmatic ways in which one can create app roles. Migrating hundreds of roles from your application’s database to Azure AD will be cumbersome via the UI. So I present before you, a couple programmatic solutions to the problem of migrating app roles to Azure AD.

1. MS Graph Application Update API

Microsoft Graph is the gateway to data and intelligence in Microsoft 365. It provides a unified programmability model that you can use to access the tremendous amount of data in Microsoft 365, Windows 10, and Enterprise Mobility + Security.

You can leverage MS Graph API’s application update endpoint to dynamically add app roles. Just write a utility program to import the app roles from your local app roles database (or any app roles source that you might have depending on your scenario) and hit the application update endpoint to patch your app registration with the new app roles. Here is a sample patch request.

URL https://graph.microsoft.com/v1.0/applications/3e7d226f-2c9b-4d28-b3ce-6a9353753hah

{
    "appRoles": [
        {
            "allowedMemberTypes": [
                "User",
                "Application"
            ],
            "description": "TestRole",
            "displayName": "TestRole",
            "id": "6cd9c306-9252-4092-b52a-960016053356",
            "isEnabled": true,
            "origin": "Application",
            "value": "TestRole"
        }
    ]
}

please note that the following are the permission requirements.

Permissions requirement for the Application update MS Graph endpoint

2. PowerShell Script

PowerShell is a cross-platform task automation and configuration management framework, consisting of a command-line shell and scripting language from Microsoft. The following PowerShell script will enable Administrators and developers to create App roles in existing App registrations easily. Please note that under the hood the PowerShell script is also using MS Graph APIs and the permissions requirements remain identical to the one from method #1.

Connect-AzureAD -TenantId <TenantId>
# Create an Azure AD role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
$appRole = New-Object Microsoft.Open.MSGraph.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add(“User”);
$appRole.AllowedMemberTypes.Add(“Application”);
$appRole.DisplayName = $Name
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = $Description
$appRole.Value = $Name;
return $appRole
}
# ObjectId for application from App Registrations in your AzureAD
$appObjectId = “<ObjectId>”
$app = Get-AzureADMSApplication -ObjectId $appObjectId
$appRoles = $app.AppRoles
Write-Host “App Roles before addition of new role..”
Write-Host $appRoles
$newRole = CreateAppRole -name “NewApplicationName” -description “New application description”
$appRoles.Add($newRole)
Set-AzureADMSApplication -ObjectId $app.Id -AppRoles $appRoles

The program is quite self explanatory. First the existing roles are listed, then CreateAppRole is invoked to create a new app role object which is subsequently saved to the app registration.

Please make sure the TenantId and ObjectId values are populated correctly before running the script. In case you are wondering how you can get hold of that, just navigate to your App registration in the Azure portal. The landing page will have both the values. Sample provided below.

Landing page of app registrations which has both TenantId and ObjectID which are needed by the PowerShell script