Azure ad app - Updating manifest programmatically

az ad app update
oauth2permissions manifest
azure app registration
get azure ad application
powershell register app azure ad
oauth2permissions powershell

I am trying to find a way to update an Azure Ad registered app's manifest via powershell, utilizing a json file.

The Json file contains all of the app roles, and i would like to simple inject the App Roles: [] right into the App Role Brackets

Is there a way to achieve this via power shell or CLI?

Yes you can update the Azure AD Application's manifest through PowerShell.

Specifically to add App Roles, here's a PowerShell script.

In case you're trying to do this while creating a new application, just use New-AzureADApplication instead of Set-AzureADApplication.

Connect-AzureAD -TenantId <Tenant GUID>

# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
    $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
    $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
    $appRole.DisplayName = $Name
    $appRole.Id = New-Guid
    $appRole.IsEnabled = $true
    $appRole.Description = $Description
    $appRole.Value = $Name;
    return $appRole

# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
$appRoles = $app.AppRoles
Write-Host "App Roles before addition of new role.."
Write-Host $appRoles

$newRole = CreateAppRole -Name "MyNewApplicationRole" -Description "This is my new Application Role"

Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles

Understanding the Azure Active Directory app manifest, Detailed coverage of the Azure Active Directory app manifest, which It also serves as a mechanism for updating the application object. an app's attributes through the Azure portal or programmatically using REST API or  If you registered the app as Azure AD multi-tenant and personal Microsoft accounts, you can't change the supported Microsoft accounts in the UI. Instead, you must use the application manifest editor to change the supported account type. If you need to define permissions and roles that your app supports, you must modify the application manifest.

Keep in mind that the "manifest", as displayed in the Azure AD portal, is nothing more than a lightly-constrained representation of the Application object, as exposed by the Azure AD Graph API:

Azure AD PowerShell (the AzureAD module) is just a simple wrapper around the same API. New‑AzureADApplication does a POST on /applications, Get‑AzureADApplication does a GET, Set‑AzureADApplication does a PATCH, and Remove‑AzureADApplication does a DELETE.

So, keeping that in mind, consider the following input file app-roles.json:

        "allowedMemberTypes": [ "Application" ],
        "description": "Read some things in the My App service",
        "displayName": "Read some things",
        "id": "b2b2e6de-bb42-41b4-92db-fda89218b5ae",
        "isEnabled": true,
        "value": "Things.Read.Some"
        "allowedMemberTypes": [ "User" ],
        "description": "Super admin role for My App",
        "displayName": "My App Super Admin",
        "id": "a01eca9b-0c55-411d-aa5f-d8cfdbadf500",
        "isEnabled": true,
        "value": "super_admin"

You could use the following script to set those app roles on an app (note this will remove any existing app roles, which will cause an error is they weren't previously disabled):

$appId = "{app-id}"
$pathToAppRolesJson = "app-roles.json"

# Read all desired app roles from JSON file
$appRolesFromJson = Get-Content -Path $pathToAppRolesJson -Raw | ConvertFrom-Json

# Build a new list of Azure AD PowerShell AppRole objects
$appRolesForApp = @()
$appRolesFromJson | ForEach-Object {

    # Create new Azure AD PowerShell AppRole object for each app role
    $appRole = New-Object "Microsoft.Open.AzureAD.Model.AppRole"
    $appRole.AllowedMemberTypes = $_.allowedMemberTypes
    $appRole.Description = $_.description
    $appRole.DisplayName = $_.displayName
    $appRole.Id = $
    $appRole.IsEnabled = $_.isEnabled
    $appRole.Value = $_.value

    # Add to the list of app roles
    $appRolesForApp += $appRole

# Update the Application object with the new list of app roles
$app = Get-AzureADApplication -Filter ("appId eq '{0}'" -f $appId)
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRolesForApp

Feature request: Allow edit of AD application manifest · Issue #6097 , Currently there is no way to update the manifest of an Azure AD application programatically without using the Windows PowerShell. More on the application manifest The application manifest serves as a mechanism for updating the application entity, which defines all attributes of an Azure AD application's identity configuration. For more information on the Application entity and its schema, see the Graph API Application entity documentation.

Azure Client command

az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --app-roles @manifest.json


    "allowedMemberTypes": [
    "description": "Approvers can mark documents as approved",
    "displayName": "Approver",
    "isEnabled": "true",
    "value": "approver"

More info ine the documentation of azure cli

Azure ad app, Yes you can update the Azure AD Application's manifest through PowerShell. Specifically to add App Roles, here's a PowerShell script. In case you're trying to​  In my previous blog, we have seen how we can register an application in Azure Active Directory programmatically. Those who haven’t read my previous blog, please refer to this url Register and Azure AD App programmatically using c#.

Manage Azure Active Directory application manifest through , The manifest is not a physical file, but a way for the 'system' to set values using the Graph API. You can set these values yourself using your  This is the easiest part. Azure Powershell have a pretty simple Cmdlet that let’s you create a new application, New-AzureADApplication. The required steps is to Import AzureRM modules and AzureAD modules. After that, connect to Azure AD using. Connect-AzureAD -Credential -TenantId "" Now you can run New

Defining permission scopes and roles offered by an app in Azure AD , How you can define delegated and app permissions offered by your API, that still requires you to modify the application manifest in Azure AD is when you To do programmatic assignment, I urge you to play around with the  Usually, Azure SDK for .NET should provide the APIs to register an Azure AD application programmatically in C#. But as of February 2019, the facility is only available using PowerShell and not using C#. The C# APIs are under consideration or development.

Connect Your App to Microsoft Azure Active Directory, Learn how to connect your app to Microsoft Azure Active Directory using an You can integrate with Microsoft Azure Active Directory (AD) if you want to let users: (Optional) When enabled, your application will dynamically accept users from Learn about the differences in behavior in Microsoft's Why update to Microsoft  Re: Update SPO User Profile Properties with Azure AD AppOnly You need an SP app with full tenant permissions + write to upa for this to work. Not possible with an AAD app today, at least last time I tried.

  • Thank you. I had seen this, but was trying to do more of an insert of information, via a json file, that contains the app roles as they would appear in the manifest. Just dumping the raw json, into the App Roles: [] brackets
  • You would just need to read the JSON, parse it, construct the Azure AD PowerShell AppRole objects just like Rohit describes here, and set the AppRoles attribute.
  • For programmatic manifest control one can use the Azure CLI tools now, see az ad app update.