Home
PowerShell
New-MgUserAppRoleAssignment

How to assign app roles to users using New-MgUserAppRoleAssignment

Assigning app roles to users

Administrators assign app roles in Microsoft Entra ID to define user permissions and access levels within an application. This ensures that only authorized users can access specific features and data based on their roles. Microsoft Graph PowerShell's New-MgUserAppRoleAssignment command, an alternative to PowerShell's New-AzureADUserAppRoleAssignment command, can be used to assign app roles to users.

Assigning app roles to users using Graph PowerShell

Prerequisite

Before using the New-MgUserAppRoleAssignment cmdlet, ensure the Graph PowerShell module is installed. If not, install it using this script:


                                    Install-Module Microsoft.Graph -Scope CurrentUser

Using the New-MgUserAppRoleAssignment command to assign app roles to users

The New-MgUserAppRoleAssignment cmdlet can be used in Graph PowerShell to assign app roles to users. Here's the syntax:


                                    New-MgUserAppRoleAssignment 

                                    -UserId <String> 

                                    [-ResponseHeadersVariable <String>] 

                                    [-AdditionalProperties <Hashtable>] 

                                    [-AppRoleId <String>] 

                                    [-CreatedDateTime <DateTime>] 

                                    [-DeletedDateTime <DateTime>] 

                                    [-Id <String>] 

                                    [-PrincipalDisplayName <String>] 

                                    [-PrincipalId <String>] 

                                    [-PrincipalType <String>] 

                                    [-ResourceDisplayName <String>] 

                                    [-ResourceId <String>] 

                                    [-Headers <IDictionary>] 

                                    [-ProgressAction <ActionPreference>] 

                                    [-WhatIf] 

                                    [-Confirm] 

                                    [<CommonParameters>]

Example use cases and scripts using the New-MgUserAppRoleAssignment cmdlet

Assign a user an application role


                                    New-MgUserAppRoleAssignment -Userid '8a7c50d3-fcbd-4727-a889-8ab232dfea01' -PrincipalId '8a7c50d3-fcbd-4727-a889-8ab232dfea01' -ResourceId '0873169c-9595-4664-9d02-499b49846ff1' -AppRoleID '0004c632-673b-4105-9bb6-f3bbd2a927fe' | 

                                    Format-List Id, AppRoleId, CreationTime, PrincipalDisplayName, 

                                    PrincipalId, PrincipalType, ResourceDisplayName, ResourceId

Supported parameters

The following table contains some parameters that can be used along with the New-MgUserAppRoleAssignment command to assign app roles to users:

Parameters	Description
-AppRoleId	This parameter displays the identities for the app role that is assigned to the principal.
-CreatedDateTime	This parameter displays the date and time when the app role assignment was created.
-DeletedDateTime	This parameter displays the date and time when the object was deleted.
-PrincipalDisplayName	This parameter displays the user, group, or service principal that was granted the app role assignment.
-PrincipalId	This parameter displays the unique identifier of the user, security group, or service principal being granted the app role.

Limitations of using Graph PowerShell scripts to assign app roles to users

Graph PowerShell requires IT admins to upgrade from Azure AD PowerShell and have familiarity with PowerShell scripting.
Assigning app roles to multiple users simultaneously requires scripting work-arounds as there is no direct bulk assignment command.
The New-MgUserAppRoleAssignment script does not automatically validate role eligibility, increasing the risk of incorrect role assignments and permission issues.
Assigning roles through Graph PowerShell relies on Graph API calls, which may be throttled if excessive requests are made within a short period.
The lack of an intuitive interface makes the overall experience less user-friendly, particularly for those new to scripting.

Highlights of ADManager Plus

ManageEngine ADManager Plus is an identity governance and administration solution with comprehensive Entra ID management and reporting capabilities. It eliminates the hassle of complex PowerShell scripts. Its intuitive, user-friendly interface allows you to streamline even the most complex administrative tasks in minutes.

Gain an easy-to-use interface for managing and reporting on users, eliminating the need for complex PowerShell scripting or Graph API knowledge.
Simplify bulk operations through automation capabilities optimized for large-scale environments, eliminating the need for complex scripts.
Use prebuilt or custom templates to standardize management and reporting tasks.
Generate more than 200 prepackaged reports, with options to customize and export them in various formats, like CSV or HTML.
Delegate specific management and reporting tasks to technicians without granting them excessive permissions.

No more Graph PowerShell hassles! Manage Entra ID effortlessly with ADManager Plus.

Try it now for free

Assigning app roles to users
Assigning app roles to users using Graph PowerShell
Limitations of using Graph PowerShell scripts to assign app roles to users
Highlights of ADManager Plus

Related features:

Related Powershell Guides: