azure - Add AAD application as a member of a security group

Question

I'm trying to enable service to service auth using AAD tokens. My plan is to validate "groups" claim in the token to make sure the caller is a member of a security group that we created.

For example, we will create group1 for readers and group2 for writers. Then based on "groups" claim, I will figure out the right access level.

I use AAD app to issue the tokens (not a user), so I need that app to be a member of the security group. Azure AD powershell doesn't seem to accept application ids as group members. How to solve this? are there any other recommended patterns when the caller is another AAD app?

Command used: https://docs.microsoft.com/en-us/powershell/module/azuread/Add-AzureADGroupMember?view=azureadps-2.0

Error:  
Add-AzureADGroupMember : Error occurred while executing AddGroupMember
Code: Request_BadRequest
Message: An invalid operation was included in the following modified references: 'members'.
RequestId: 0441a156-3a34-484b-83d7-a7863d14654e
DateTimeStamp: Mon, 11 Dec 2017 21:50:41 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:1 char:1
+ Add-AzureADGroupMember -ObjectId "9c2cdf89-b8d6-4fb9-9116-7749adec85c ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-AzureADGroupMember], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.AddGroupMember

Answer 1

1. Unfortunately, you cannot add an application as a member of Azure AD group. Though the official document for the Powershell cmdlet Add-AzureADGroupMember doesn't make clear you cannot use Application's ObjectId as the RefObjectId, absolutely you cannot use it. You cannot add an application as a member of Azure AD group neither.

   For example, we will create group1 for readers and group2 for writers. Then based on "groups" claim, I will figure out the right access level.

2. For your scenario, I'm afraid that you couldn't achieve this for now. I understand why you need this. According to your request, my thought is assigning your application from Enterprise Application to Groups or users and manger users with different access rights. However, you cannot choose more roles for the selected group. The only one role is default access If want to define more roles for the app, you can refer to this documentation. I also tried to use Azure AD RBAC and create new conditional access for my test app,but all don't have read only this choice. You can also put your idea in Azure Feedback Forum, azure team will see it. Also, I will upvote your idea.

Update:

---

Currently, you can add a service principal to an AAD Group:

Example:

$spn = Get-AzureADServicePrincipal -SearchString "yourSpName"

$group = Get-AzureADGroup -SearchString "yourGroupName"

Add-AzureADGroupMember -ObjectId $($group.ObjectId) -RefObjectId $($spn.ObjectId)

---

Updated 2:

Recently, I also see lots of users want to assign roles to a service principal to let the service principal have some permissions to access to the app with a role.

I want to make clear here. Role-based authorized should be used for users, NOT applications. And it's not designed for applications. If you want to give some different permissions you may consider to assign application permissions to your service principal instead.

You can expose your Web App/API with application permissions by editing the Manifest in app registrations.

You can go to Azure portal > Azure Active Directory > App registrations > Select your App > Manifest.

In appRoles, you can insert content like this:

  {
      "allowedMemberTypes": [
        "Application"
      ],
      "displayName": "Access to the settings data",
      "id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
      "isEnabled": true,
      "description": "Administrators can access to the settings data in their tenant",
      "value": "Settingsdata.ReadWrite.All"
    },

Then, you can go another app registration you want to give permission > Settings > require permissions > Add > Search the application name you want to access > Choose the application permission you created before.

Therefore, your sp can obtain a token with that application permissions in token claims.

Also, for authorization from the resource, you need to add code logic to give control policy for that token with Settingsdata.ReadWrite.All claim.

---

Update 3

Currently, you can add the service principal to one AAD Group directly in Azure portal: