Powershell script to add users in API application in mass

-

To bulk assign users or groups to an Enterprise Application (API application) in Microsoft Entra (Azure AD) via PowerShell,

you can use the AzureAD or Microsoft Graph PowerShell module.




Here’s a PowerShell script using the Microsoft Graph PowerShell SDK, which is the recommended approach in 2025:
---

✅ Prerequisites:

1. Microsoft Graph PowerShell module installed:

Install-Module Microsoft.Graph -Scope CurrentUser


2. Connect to Microsoft Graph:

Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All"
---

📄 Input CSV format (UsersToAssign.csv)

UserPrincipalName AppObjectId
neeraj@neeraj.ltd        XXXXXXXXXXXXXXX
XYZ@neeraj.ltd        XXXXXXXXXXXXXXX

---

🔁 PowerShell Script: Bulk Assign Users to API Application

# Import CSV file
$usersToAssign = Import-Csv -Path "C:\UsersToAssign.csv"

foreach ($entry in $usersToAssign) {
    $userUPN = $entry.UserPrincipalName
    $appObjectId = $entry.AppObjectId

    try {
        # Get the user object ID
        $user = Get-MgUser -UserId $userUPN

        if ($user) {
            # Assign user to Enterprise App
            New-MgServicePrincipalAppRoleAssignment `
                -ServicePrincipalId $appObjectId `
                -PrincipalId $user.Id `
                -ResourceId $appObjectId `
                -AppRoleId "00000000-0000-0000-0000-000000000000" # Default role, change if using custom roles

            Write-Host "Assigned $userUPN to app $appObjectId"
        } else {
            Write-Warning "User not found: $userUPN"
        }
    } catch {
        Write-Error "Failed to assign $userUPN to app: $_"
    }
}


---

🛠️ Notes:

AppRoleId must match the role defined in the Enterprise App (can be viewed in app manifest).

Use Get-MgServicePrincipalAppRoleAssignedTo to verify assignments.

You can also assign groups instead of individual users by replacing user lookup logic with group lookup using Get-MgGroup.

--
🔍 How to Find Correct AppRoleId

To get available roles for your Enterprise App: (Replace in script 00000000-0000-0000-0000-000000000000 with what output you get from below command)

Get-MgServicePrincipalAppRole -ServicePrincipalId <AppObjectId>

-------

The error you're seeing is because Get-MgServicePrincipalAppRole is not a valid cmdlet in the Microsoft Graph module.

To list the App Roles for a service principal (Enterprise App), use the correct command to query the AppRoles property from the service principal object.

---

✅ Correct PowerShell to List AppRoles

# Replace with your actual App (Service Principal) Object ID
$appId = "5402a3a2-9eef-4cc6-a22f-d4b736243a62"

# Fetch and display the AppRoles
(Get-MgServicePrincipal -ServicePrincipalId $appId).AppRoles

---

📌 Output Example

This will return output like:

Id DisplayName Description
-- ----------- -----------
e7bc631f-ae53-4e58-9d54-31576e19e8a4 User Regular access
c28b51b4-b7ef-42fc-81df-4e94b7f45849 Admin Full access

Use the appropriate Id value from this list in your New-MgServicePrincipalAppRoleAssignment as the AppRoleId.

If the list is empty, your app may not define any roles in its manifest. You can add roles by editing the App Registration > Manifest.
---

Once all data in place run the command and refresh Entra AD page and check.
Kept page simple and fast to load in mobile or any devices, by you for you

Comments

Post a Comment

Thank You for Sharing your feedback, We hope article was helpful in some way to you.

Popular posts from this blog

Deep Dive into Microsoft Defender for Office 365: Plan 1 vs. Plan 2 - Licensing, Features, Comparison, and Step-by-Step Policy Configuration

-
Image
Deep Dive into Microsoft Defender for Office 365: Plan 1 vs. Plan 2 - Licensing, Features, Comparison, and Step-by-Step Policy Configuration Meta Description: Learn about Microsoft Defender for Office 365 Plan 1 and Plan 2, including licensing, features, comparisons, and step-by-step policy configurations for enhancing email security in enterprise environments. Introduction As a Senior Cloud Architect, one of the critical components of a secure cloud infrastructure is ensuring robust email security. Microsoft Defender for Office 365 is a cloud-based email filtering service that helps protect organizations against unknown malware and viruses by providing robust zero-day protection and includes features to safeguard against phishing links and malicious URLs. This blog post will delve into two of its main plans—Microsoft Defender for Office 365 Plan 1 and Plan 2—comparing their licensing, features, and providing a step-by-step walkthrough on configuring various policies available ...
Read more

Mastering Office 365 Tenant-to-Tenant Migration with BitTitan: A Step-by-Step Guide for IT Professionals

-
Image
Mastering Office 365 Tenant-to-Tenant Migration with BitTitan: A Step-by-Step Guide for IT Professionals Meta Description: Learn how to seamlessly migrate from one Office 365 tenant to another using BitTitan. This step-by-step guide covers everything from planning to execution, ensuring a smooth transition for your enterprise. Introduction In today’s dynamic business landscape, mergers, acquisitions, and organizational restructuring often necessitate the migration of email and data from one Office 365 tenant to another. Such migrations can be complex, requiring meticulous planning and execution to ensure a seamless transition. Among the tools available for this task, BitTitan's MigrationWiz stands out for its robust features and user-friendly interface. As a Senior Cloud Architect, I have led multiple tenant-to-tenant migrations using BitTitan and have compiled a step-by-step guide to help IT professionals navigate this process effectively. 🚀 Strategic Importance of Tena...
Read more

Everything You Need to Know About Online Archive in Office 365

-
Image
Everything You Need to Know About Online Archive in Office 365 Office 365 (O365), now referred to as Microsoft 365 , is a cloud-based suite that offers a range of applications designed to boost productivity and collaboration. One key feature of Microsoft 365 is the Online Archive , a service designed to help users manage large email mailboxes by offloading older items to a secondary storage. This blog post will dive into what Online Archive in Office 365 is, how it works, the different licensing requirements, and why it's an essential feature for users managing vast amounts of emails. What is Online Archive in Office 365? 🔍 What is Online Archive in Office 365? (Detailed Step-by-Step Explanation) Microsoft 365 Online Archive, also known as In-Place Archive, is a mailbox feature in Microsoft Exchange Online (part of Office 365) that provides users with an additional mailbox storage space when their primary mailbox gets full. This is especially useful for organizations with stri...
Read more