Set-EntraBetaAppRoleToApplicationUser
Add existing application users to Microsoft Entra ID and assign them roles.
Syntax
Default
Set-EntraBetaAppRoleToApplicationUser
-DataSource <String>
-FilePath <System.IO.FileInfo>
-ApplicationName <String>
[-SignInAudience <String>]
[<CommonParameters>]
ExportResults
Set-EntraBetaAppRoleToApplicationUser
-DataSource <String>
-FilePath <System.IO.FileInfo>
-ApplicationName <String>
[-SignInAudience <String>]
[-Export]
[-ExportFilePath <System.IO.FileInfo>]
[<CommonParameters>]
Description
The Set-EntraBetaAppRoleToApplicationUser command adds existing users (for example, from a Helpdesk or billing application) to Microsoft Entra ID and assigns them app roles like Admin, Audit, or Reports. This enables the application unlock Microsoft Entra ID Governance features like access reviews.
This feature requires a Microsoft Entra ID Governance or Microsoft Entra Suite license, see Microsoft Entra ID Governance licensing fundamentals.
In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are:
- User Administrator (create users)
- Application Administrator
- Identity Governance Administrator (manage application role assignments)
Examples
Example 1: Assign application users to app role assignments
Connect-Entra -Scopes 'User.ReadWrite.All', 'Application.ReadWrite.All', 'AppRoleAssignment.ReadWrite.All', 'EntitlementManagement.ReadWrite.All'
Set-EntraBetaAppRoleToApplicationUser -DataSource "Generic" -FilePath "C:\temp\users.csv" -ApplicationName "TestApp"
This example assigns users to app roles. It creates missing users and app roles. If a role assignment doesn't exist, it's created; otherwise, it's skipped.
-DataSourceparameter specifies the source of the data, for example, SAP Identity, database, or directory. The value determines the attribute matching. For example, For SAP Cloud Identity Services, the default mapping isuserName(SAP SCIM) touserPrincipalName(Microsoft Entra ID). For databases or directories, theEmailcolumn value might match theuserPrincipalNamein Microsoft Entra ID.-FilePathparameter specifies the path to the input file containing users, for example,C:\temp\users.csv.-ApplicationNameparameter specifies the application name in Microsoft Entra ID.
Example 2: Assign application users to app role assignments with verbose mode
Connect-Entra -Scopes 'User.ReadWrite.All', 'Application.ReadWrite.All', 'AppRoleAssignment.ReadWrite.All', 'EntitlementManagement.ReadWrite.All'
Set-EntraBetaAppRoleToApplicationUser -DataSource "SAPCloudIdentity" -FilePath "C:\temp\users-exported-from-sap.csv" -ApplicationName "TestApp" -Verbose
This example assigns users to app roles. It creates missing users and app roles. If a role assignment doesn't exist, it's created; otherwise, it's skipped.
-DataSourceparameter specifies the source of the data, for example, SAP Identity, database, or directory. The value determines the attribute matching. For example, For SAP Cloud Identity Services, the default mapping isuserName(SAP SCIM) touserPrincipalName(Microsoft Entra ID). For databases or directories, theEmailcolumn value might match theuserPrincipalNamein Microsoft Entra ID.-FilePathparameter specifies the path to the input file containing users, for example,C:\temp\users.csv.-ApplicationNameparameter specifies the application name in Microsoft Entra ID.-Verbosecommon parameter outputs the execution steps during processing.
Example 3: Assign application users to app roles and export to a default location
Connect-Entra -Scopes 'User.ReadWrite.All', 'Application.ReadWrite.All', 'AppRoleAssignment.ReadWrite.All', 'EntitlementManagement.ReadWrite.All'
Set-EntraBetaAppRoleToApplicationUser -DataSource "Generic" -FilePath "C:\temp\users.csv" -ApplicationName "TestApp" -Export -Verbose
This example assigns users to app roles. It creates missing users and app roles. If a role assignment doesn't exist, it's created; otherwise, it's skipped.
-DataSourceparameter specifies the source of the data, for example, SAP Identity, database, or directory. The value determines the attribute matching. For example, For SAP Cloud Identity Services, the default mapping isuserName(SAP SCIM) touserPrincipalName(Microsoft Entra ID). For databases or directories, theEmailcolumn value might match theuserPrincipalNamein Microsoft Entra ID.-FilePathparameter specifies the path to the input file containing users, for example,C:\temp\users.csv.-ApplicationNameparameter specifies the application name in Microsoft Entra ID.-Exportswitch parameter enables export of results into a CSV file. IfExportFilePathparameter isn't provided, results are exported in the current location.-Verbosecommon parameter outputs the execution steps during processing.
Example 4: Assign application users to app roles and export to a specified location
Connect-Entra -Scopes 'User.ReadWrite.All', 'Application.ReadWrite.All', 'AppRoleAssignment.ReadWrite.All', 'EntitlementManagement.ReadWrite.All'
Set-EntraBetaAppRoleToApplicationUser -DataSource "Generic" -FilePath "C:\temp\users.csv" -ApplicationName "TestApp" -Export -ExportFilePath "C:\temp\EntraAppRoleAssignments_yyyyMMdd.csv" -Verbose
This example assigns users to app roles. It creates missing users and app roles. If a role assignment doesn't exist, it's created; otherwise, it's skipped.
-DataSourceparameter specifies the source of the data, for example, SAP Identity, database, or directory. The value determines the attribute matching. For example, For SAP Cloud Identity Services, the default mapping isuserName(SAP SCIM) touserPrincipalName(Microsoft Entra ID). For databases or directories, theEmailcolumn value might match theuserPrincipalNamein Microsoft Entra ID.-FilePathparameter specifies the path to the input file containing users, for example,C:\temp\users.csv.-ApplicationNameparameter specifies the application name in Microsoft Entra ID.-Exportswitch parameter enables export of results into a CSV file. IfExportFilePathparameter isn't provided, results are exported in the current location.-ExportFilePathparameter specifies a specific filename and location to export results.-Verbosecommon parameter outputs the execution steps during processing.
Parameters
-ApplicationName
Specifies the application name in Microsoft Entra ID.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-DataSource
Specifies the source of the data, for example, SAP Identity, database, or directory. The value determines the attribute matching. For example, For SAP Cloud Identity Services, the default mapping is userName (SAP SCIM) to userPrincipalName (Microsoft Entra ID). For databases or directories, the Email column value might match the userPrincipalName in Microsoft Entra ID.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Export
Enables export of results into a CSV file. If ExportFilePath parameter isn't provided, results are exported in the current location.
Parameter properties
| Type: | System.Management.Automation.SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
ExportResults
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-ExportFilePath
Specifies a specific filename and location to export results.
Parameter properties
| Type: | System.IO.FileInfo |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
ExportResults
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-FilePath
Specifies the path to the input file containing users, for example, C:\temp\users.csv.
Parameter properties
| Type: | System.IO.FileInfo |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-SignInAudience
Specifies what Microsoft accounts are supported for the application. Options are "AzureADMyOrg", "AzureADMultipleOrgs", "AzureADandPersonalMicrosoftAccount" and "PersonalMicrosoftAccount".
Parameter properties
| Type: | System.String |
| Default value: | AzureADMyOrg |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.