Skip to content

Add / Update App Roles on an Entra ID Application

Go to Automation: (Add Job Template URL here)

View in GitLab

Description

Adds new App Roles (application roles) to an existing Entra ID Application (App Registration). The playbook: 1. Resolves the target application by AppDisplayName or app_id. 2. Parses a multiline app_roles string where each line defines a role. 3. Validates allowedMemberTypes and uniqueness vs existing roles. 4. Adds all new roles in a single update operation for efficiency (PowerShell script logic).

Credentials

PasswordState stored Service Principal credential (environment dependent): - Production: Sys_Azure_AppRegs_PR - Onderwijs: Sys_Azure_OND_Admin

Inputs

Variable Description
AppDisplayName Display name of the App Registration (if app_id not supplied).
app_id Application (client) ID; direct lookup.
app_roles Multiline definition of roles (format below).
onderwijs 'yes' to switch to onderwijs tenant/subscription.
task Optional external ticket/task reference.
azure_tenant Default tenant ID (overridden for onderwijs).
tenant_name Default tenant primary domain (overridden when onderwijs).
subscription_id Subscription ID (changes for onderwijs).

App Role Line Format

Each line (semicolon separated) should follow: 

RoleDisplayName;AllowedMemberTypes;Description
- AllowedMemberTypes is typically User, Application, or User,Application. - If Description is omitted, ensure the line still has two semicolons if parser expects three segments (source expects at least two ;).

Example: 

Reader;User;Read access to data
Writer;User,Application;Write access to data
Processor;Application;Background processing role

Outputs

  • Debug output of parsed app_roles_list (list of role objects) before changes.
  • PowerShell return structure (list / messages) summarizing new roles added or skipped.

Idempotency & Validation

  • Existing roles with identical DisplayName are skipped (logic in PowerShell script; truncated sections indicate checks).
  • Roles are only added if they pass allowedMemberTypes validation & uniqueness.

Dependencies / Modules

Component Purpose
azure.azcollection.azure_rm_adapplication_info Discover App Registration.
azure.azcollection.azure_rm_adserviceprincipal_info Ensure SP exists (not modified here).
d09.passwordstate.passwordstate_password_fact Retrieve credentials securely.
ansible.windows.win_powershell Executes role append logic using Microsoft Graph cmdlets.

Example Invocation

AppDisplayName: MyBusinessAPI
app_roles: |
  Reader;User;Read data
  Writer;User,Application;Write data
  Processor;Application;Process jobs
onderwijs: 'no'

Notes

  • Provide either AppDisplayName or app_id; when both provided with usable values the playbook prioritizes the specific app_id lookup path.
  • The script batches additions into a single update for performance.