Set-EntraBetaAppRoleToApplicationUser
Add existing application users to Microsoft Entra ID and assign them roles.
Syntax
Set-EntraBetaAppRoleToApplicationUser
-DataSource <String>
-FilePath <System.IO.FileInfo>
-ApplicationName <String>
[-SignInAudience <String>]
[<CommonParameters>] Set-EntraBetaAppRoleToApplicationUser
-DataSource <String>
-FilePath <System.IO.FileInfo>
-ApplicationName <String>
[-SignInAudience <String>]
[-Export]
[-ExportFilePath <System.IO.FileInfo>]
[<CommonParameters>] Description
The Set-EntraBetaAppRoleToApplicationUser command adds existing users (for example, from a Helpdesk or billing application) to Microsoft Entra ID and assigns them app roles like Admin, Audit, or Reports. This enables the application unlock Microsoft Entra ID Governance features like access reviews.
This feature requires a Microsoft Entra ID Governance or Microsoft Entra Suite license, see Microsoft Entra ID Governance licensing fundamentals.
In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are:
- User Administrator (create users)
- Application Administrator
- Identity Governance Administrator (manage application role assignments)
Examples
Example 1: Assign application users to app role assignments
Connect-Entra -Scopes 'User.ReadWrite.All', 'Application.ReadWrite.All', 'AppRoleAssignment.ReadWrite.All', 'EntitlementManagement.ReadWrite.All'
Set-EntraBetaAppRoleToApplicationUser -DataSource "Generic" -FilePath "C:\temp\users.csv" -ApplicationName "TestApp"This example assigns users to app roles. It creates missing users and app roles. If a role assignment doesn't exist, it's created; otherwise, it's skipped.
-DataSourceparameter specifies the source of the data, for example, SAP Identity, database, or directory. The value determines the attribute matching. For example, For SAP Cloud Identity Services, the default mapping isuserName(SAP SCIM) touserPrincipalName(Microsoft Entra ID). For databases or directories, theEmailcolumn value might match theuserPrincipalNamein Microsoft Entra ID.-FilePathparameter specifies the path to the input file containing users, for example,C:\temp\users.csv.-ApplicationNameparameter specifies the application name in Microsoft Entra ID.
Example 2: Assign application users to app role assignments with verbose mode
Connect-Entra -Scopes 'User.ReadWrite.All', 'Application.ReadWrite.All', 'AppRoleAssignment.ReadWrite.All', 'EntitlementManagement.ReadWrite.All'
Set-EntraBetaAppRoleToApplicationUser -DataSource "SAPCloudIdentity" -FilePath "C:\temp\users-exported-from-sap.csv" -ApplicationName "TestApp" -VerboseThis example assigns users to app roles. It creates missing users and app roles. If a role assignment doesn't exist, it's created; otherwise, it's skipped.
-DataSourceparameter specifies the source of the data, for example, SAP Identity, database, or directory. The value determines the attribute matching. For example, For SAP Cloud Identity Services, the default mapping isuserName(SAP SCIM) touserPrincipalName(Microsoft Entra ID). For databases or directories, theEmailcolumn value might match theuserPrincipalNamein Microsoft Entra ID.-FilePathparameter specifies the path to the input file containing users, for example,C:\temp\users.csv.-ApplicationNameparameter specifies the application name in Microsoft Entra ID.-Verbosecommon parameter outputs the execution steps during processing.
Example 3: Assign application users to app roles and export to a default location
Connect-Entra -Scopes 'User.ReadWrite.All', 'Application.ReadWrite.All', 'AppRoleAssignment.ReadWrite.All', 'EntitlementManagement.ReadWrite.All'
Set-EntraBetaAppRoleToApplicationUser -DataSource "Generic" -FilePath "C:\temp\users.csv" -ApplicationName "TestApp" -Export -VerboseThis example assigns users to app roles. It creates missing users and app roles. If a role assignment doesn't exist, it's created; otherwise, it's skipped.
-DataSourceparameter specifies the source of the data, for example, SAP Identity, database, or directory. The value determines the attribute matching. For example, For SAP Cloud Identity Services, the default mapping isuserName(SAP SCIM) touserPrincipalName(Microsoft Entra ID). For databases or directories, theEmailcolumn value might match theuserPrincipalNamein Microsoft Entra ID.-FilePathparameter specifies the path to the input file containing users, for example,C:\temp\users.csv.-ApplicationNameparameter specifies the application name in Microsoft Entra ID.-Exportswitch parameter enables export of results into a CSV file. IfExportFilePathparameter isn't provided, results are exported in the current location.-Verbosecommon parameter outputs the execution steps during processing.
Example 4: Assign application users to app roles and export to a specified location
Connect-Entra -Scopes 'User.ReadWrite.All', 'Application.ReadWrite.All', 'AppRoleAssignment.ReadWrite.All', 'EntitlementManagement.ReadWrite.All'
Set-EntraBetaAppRoleToApplicationUser -DataSource "Generic" -FilePath "C:\temp\users.csv" -ApplicationName "TestApp" -Export -ExportFilePath "C:\temp\EntraAppRoleAssignments_yyyyMMdd.csv" -VerboseThis example assigns users to app roles. It creates missing users and app roles. If a role assignment doesn't exist, it's created; otherwise, it's skipped.
-DataSourceparameter specifies the source of the data, for example, SAP Identity, database, or directory. The value determines the attribute matching. For example, For SAP Cloud Identity Services, the default mapping isuserName(SAP SCIM) touserPrincipalName(Microsoft Entra ID). For databases or directories, theEmailcolumn value might match theuserPrincipalNamein Microsoft Entra ID.-FilePathparameter specifies the path to the input file containing users, for example,C:\temp\users.csv.-ApplicationNameparameter specifies the application name in Microsoft Entra ID.-Exportswitch parameter enables export of results into a CSV file. IfExportFilePathparameter isn't provided, results are exported in the current location.-ExportFilePathparameter specifies a specific filename and location to export results.-Verbosecommon parameter outputs the execution steps during processing.
Parameters
-ApplicationName
Specifies the application name in Microsoft Entra ID.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DataSource
Specifies the source of the data, for example, SAP Identity, database, or directory. The value determines the attribute matching. For example, For SAP Cloud Identity Services, the default mapping is userName (SAP SCIM) to userPrincipalName (Microsoft Entra ID). For databases or directories, the Email column value might match the userPrincipalName in Microsoft Entra ID.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Export
Enables export of results into a CSV file. If ExportFilePath parameter isn't provided, results are exported in the current location.
| Type: | System.Management.Automation.SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ExportFilePath
Specifies a specific filename and location to export results.
| Type: | System.IO.FileInfo |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-FilePath
Specifies the path to the input file containing users, for example, C:\temp\users.csv.
| Type: | System.IO.FileInfo |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SignInAudience
Specifies what Microsoft accounts are supported for the application. Options are "AzureADMyOrg", "AzureADMultipleOrgs", "AzureADandPersonalMicrosoftAccount" and "PersonalMicrosoftAccount".
| Type: | System.String |
| Position: | Named |
| Default value: | AzureADMyOrg |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
System.String
Outputs
System.Object