Share via

Powershell to add groups to enterprise app with no role?

Kevin Low 0 Reputation points
2026-03-03T23:49:26.6133333+00:00

I am trying to add groups to an enterprise app with no role. some of the powershell groups are deprecated, and i cannot find a good way to hit the endpoint.

i get an error with calling 

New-MgServicePrincipalAppRoleAssignment

Install-Module Microsoft.Graph.Applications
Import-Module Microsoft.Graph 
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications
Import-Module Microsoft.Graph.Groups

# Connect to Microsoft Graph
$EnterpriseAppObjectId = ""
Connect-MgGraph -Identity -nowelcome

Write-Output "Connected. Fetching Enterprise App..."
$sp = Get-MgServicePrincipal -ServicePrincipalId $EnterpriseAppObjectId -ErrorAction Stop
Write-Output "Enterprise App Found: $($sp.DisplayName)"

# Get existing group assignments
Write-Output "Fetching currently assigned groups..."
$existingAssigned = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $EnterpriseAppObjectId -All
$existingIds = $existingAssigned.Id

Write-Output "Found $($existingIds.Count) existing group assignments."

# Fetch matching groups
Write-Output "Searching for groups starting with 'Agile_'..."
$groups = Get-MgGroup -Filter "startsWith(displayName,'Agile_')" -All

if (-not $groups) {
    Write-Output "No matching groups found. Exiting."
    return
}

Write-Output "Found $($groups.Count) Agile_* groups."

foreach ($group in $groups) {

    if ($existingIds -contains $group.Id) {
        Write-Output " → Skipping existing group: $($group.DisplayName)"
        continue
    }

    Write-Output "`nAdding NEW group assignment: $($group.DisplayName) ($($group.Id))"

    try {
        New-MgServicePrincipalAppRoleAssignment `
            -ServicePrincipalId $EnterpriseAppObjectId `
            -PrincipalId $group.Id `
            -AppRoleId "00000000-0000-0000-0000-000000000000" `
            -ResourceId $group.Id

        Write-Output " ✔ Successfully assigned: $($group.DisplayName)"
    }
    catch {
        Write-Output " ✖ Failed to assign $($group.DisplayName): $_"
    }
}

Write-Output "`nCompleted processing all Agile_* groups."
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rukmini 30,115 Reputation points Microsoft External Staff Moderator
    2026-03-04T19:50:08.8833333+00:00

    Hello Kevin Low,

    Note: To assign Default Access (that is no app role) as app role, you need to pass app role ID as ([Guid]::Empty)

    
$EnterpriseAppObjectId = "ID"

Connect-MgGraph -Identity -nowelcome

$sp = Get-MgServicePrincipal -ServicePrincipalId $EnterpriseAppObjectId -ErrorAction Stop

Write-Output "Enterprise App Found: $($sp.DisplayName)"

# Get existing group assignments

$existingAssigned = Get-MgServicePrincipalAppRoleAssignedTo `

    -ServicePrincipalId $EnterpriseAppObjectId -All

$existingPrincipalIds = $existingAssigned.PrincipalId

# Get groups

$groups = Get-MgGroup -Filter "startsWith(displayName,'ruk')" -All

foreach ($group in $groups) {

    if ($existingPrincipalIds -contains $group.Id) {

        Write-Output "Skipping existing group: $($group.DisplayName)"

        continue

    }

    try {

        New-MgServicePrincipalAppRoleAssignment `

            -ServicePrincipalId $EnterpriseAppObjectId `

            -PrincipalId $group.Id `

            -ResourceId $EnterpriseAppObjectId `

            -AppRoleId ([Guid]::Empty)

        Write-Output "Assigned: $($group.DisplayName)"

    }

    catch {

        Write-Output "Failed: $($group.DisplayName) - $_"

    }

}

    By passing AppRoleId as ([Guid]::Empty), the group will be assigned with no app role that is as default access successfully:

    User's image

    User's image

    If the resolution was helpful, kindly take a moment to click on 210246-screenshot-2021-12-10-121802.pngand click on Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.