如何将 AAD 组分配给企业应用程序？

Question

i would like to know how to assign one or multiple groups to an application?

I've tried this but im getting an error: Get-AzureADGroup : Error occurred while executing GetGroup

connect-azuread

$GroupName = "TEST"
$app_name = "Intranet"
$app_role_name = "Default Access"

# Get the group to assign
$AADGROUP = Get-AzureADGroup -ObjectId $GroupName
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }

# Assign the group to the app role
New-AzureADGroupAppRoleAssignment -ObjectId $AADGROUP.ObjectId -PrincipalId $AADGROUP.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id

Answer 1

Your error indicate clearly the part which is failing. There is no ObjectId provided to the last statement because your $AADGroup.ObjectId is $null

Looking at an excerpt of your code:

$GroupName = 'test'
$AADGROUP = Get-AzureADGroup -ObjectId $GroupName
#...
# Assign the group to the app role
New-AzureADGroupAppRoleAssignment -ObjectId $AADGROUP.ObjectId -PrincipalId $AADGROUP.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id

$GroupName is a very bad name for this variable if you are using it along with the Get-AzureADGroup -ObjectId $GroupName statement right after. It won't work. -ObjectId is expecting the object ID GUID of the group, not its name (You might be already doing it correctly, my assumption come from your variable name).

That would explain where you don't have any group returned and why the error occur. If you want to use the group name, you will need to call the Get-AzureADGroup with -SearchString instead of -ObjectId .