Azure Active Directory – How to give a Registered Application an AD Directory Administrative Role

By default a ‘Registered Application’ account is not a member of any Directory Roles and/or group memberships and there is no easy way to make these changes using the portal. You may have an API or back-end application that will be required to perform actions on your AD that requires elevated permissions (e.g. Reset passwords or delete accounts etc..)

Normally for advanced configuration, you will need to start editing the manifest file. Luckily this has been made easy using the Portal. You can now edit the file directly, or download, make changes and then upload.

However, to make a ‘Registered Application’ a member of a ‘Directory Administrative Role’ you need to use PowerShell to add the role member to the ‘Service Principal’ (as I couldn’t find a way to do this in the manifest!).

When you register an application in the Azure portal, two objects are created in your Azure AD tenant: an application object, and a service principal object. Consider the application object as the global representation of your application (for use across all tenants), and the service principal as the local representation (for use in a specific tenant). It’s the service principal object that defines the policy and permissions for an application.

The following PowerShell is hopefully self-explanatory. Here I am adding my Application to the ‘User Account Administrator’ role so that my app can reset user passwords and delete user accounts:

NOTE: You will need to use the x64 PowerShell or PowerShell ISE as the there is no 32-bit AzureAD module. If you’re commands aren’t recognised run Install-Module AzureAD in PowerShell as Administrator.

# Add an Admin role to an application
#=====================================
# 1 - Login to the AD Tenant
$adcred = Get-Credential -UserName "myadminuser@mydomain.onmicrosoft.com" -Message "Enter the password"
Connect-AzureAD -Credential $adcred

# 2 - list all AD Roles
Get-AzureADDirectoryRole

# 3 - set the object id of the role you want to add a member to. 
# You should see the list from the previous command.
# Copy the Object Id you want
$userCompanyAdminObjectId = "12345678-1234-1234-1234-123465789012"

# 4 - Set service principle object Id. Get this from the portal
$applicationObjectID = "12345678-1234-1234-1234-123465789012"

# 5 - Check if you got the right Service Principal
Get-AzureADServicePrincipal -ObjectId $applicationObjectID

# 6 - Add the App to the AD Role
Add-AzureADDirectoryRoleMember -ObjectId $userCompanyAdminObjectId -RefObjectId $applicationObjectID

# 7 - List all the members now
Get-AzureADDirectoryRoleMember -ObjectId $userCompanyAdminObjectId

For more information regarding the Azure Active Directory see

https://docs.microsoft.com/en-gb/azure/active-directory/active-directory-assign-admin-roles

For more information on the manifest see

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-application-manifest

Leave a Reply