azure active directory - Manage app groups for windows virtual desktop using graph

Question

I am struggling to find any relevant documentation on how to add an Azure AD group to an application group via the graph API. Here is the documentation on how to do it via the azure portal UI, but it does not mention how to do it via the graph API.

My goal is to add an already existing active directory group to an already existing remote app application group via the graph API using an authenticated Service Principal that runs with delegated permissions.

If anyone knows how to do this I would greatly appreciate it.

question from:https://stackoverflow.com/questions/65946634/manage-app-groups-for-windows-virtual-desktop-using-graph

Answer 1

Firstly, the answer is NO because Graph API only manages Azure AD resources rather than Azure resources.

And in fact "add an already existing active directory group to an already existing remote app application group" is assigning the "Desktop Virtualization User" role to the AAD group for the remote app application group as the scope.

So what you want can be implemented via Azure Rest API Role Assignments - Create.

PUT https://management.azure.com/subscriptions/{subscription_ID}/resourceGroups/{resource_group_name}/providers/Microsoft.DesktopVirtualization/applicationgroups/{application_group_name}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}?api-version=2018-01-01-preview

{
    "properties":{
        "principalId":"{object id of the AAD group}",
        "roleDefinitionId":"subscriptions/{subscription_ID}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinition_ID}"
    }
}

In the request above, {roleAssignmentName} can be any valid GUID.

For {roleDefinition_ID}, you can use Role Definitions - List to get the {roleDefinition_ID} of "Desktop Virtualization User" role. And then assign the role to the AAD group.