Allow Applications to be added to AD Security Groups
Basically allow adding Service Principals (i.e. Applications) into AD Security Groups just like User Principals are allowed today.
We support service principals to be added to security groups. Here’s the documentation – https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal#group-types
It's definitely a BREAKING CHANGE because this function is available in Add-AzureADGroupMember but not available in Add-AzureADGroupMember.
Why it is called so? It should be like Add-AzureADUserGroupMember or something like that NOT to CONFUSE people.
How would I need to migrate my PowerShell code from 5.1 to Az and 6+? Why even it wasn't designed from the start? This is available in Azure Portal but not here.
Alex Kolisnychenko commented
Is this still on the table? Service principals and managed identities are widely used for RBAC in Azure, and them not participating in a normal AAD security universe (groups et al) is a serious hindrance for automation.
I am trying to do this using the Azure CLI and getting the same error message:
"An invalid operation was included in the following modified references: 'members'."
can you give an example, please? For me it is not working in PowerShell. I get the following error message:
Add-AzureADGroupMember : Error occurred while executing AddGroupMember
Message: An invalid operation was included in the following modified references: 'members'.
It is working for the service principal of an enterprise application, though.
Thanks in advance for your help.
UNNIE AYILLIATH commented
This has a lot use cases when we need 2 applications to talk with each other. eg: Calling a role protected Azure function from another daemon function. In this case we need to add the daemon function AAD app as a member of the group.