Unfortunately, you cannot add an application as a member of Azure AD group. Though the official document for the Powershell cmdlet Add-AzureADGroupMember doesn't make clear you cannot use Application's ObjectId as the RefObjectId, absolutely you cannot use it. You cannot add an application as a member of Azure AD group neither.
Currently, you can add a service principal to an AAD Group:
$spn = Get-AzureADServicePrincipal -SearchString "yourSpName"
$group = Get-AzureADGroup -SearchString "yourGroupName"
Add-AzureADGroupMember -ObjectId $($group.ObjectId) -RefObjectId $($spn.ObjectId)
also from the portal you can add the service principal to one AAD Group directly in Azure portal:
[![enter image description here][1]][1]
you can refer this for further explanation.
https://blogs.technet.microsoft.com/stefan_stranger/2018/06/06/connect-to-azure-sql-database-by-obtaining-a-token-from-azure-active-directory-aad/
Hope it helps.
[1]: https://i.stack.imgur.com/B8t6R.png
1. Unfortunately, you cannot add an application as a member of Azure AD group.
Though the official document for the Powershell cmdlet `Add-AzureADGroupMember` doesn't make clear you cannot use Application's `ObjectId` as the `RefObjectId`, absolutely you cannot use it.
You cannot add an application as a member of Azure AD group neither.
> For example, we will create group1 for readers and group2 for writers.
> Then based on "groups" claim, I will figure out the right access
> level.
2. For your scenario, I'm afraid that you couldn't achieve this for now. **I understand why you need this.** According to your request, my thought is [**assigning your application from Enterprise Application to Groups or users**][1] and manger users with different access rights. However, you cannot choose more roles for the selected group. The only one role is default access If want to define more roles for the app, you can refer to [this documentation][2].
I also tried to use Azure AD RBAC and create new conditional access for my test app,but all don't have **read only** this choice.
You can also put your idea in [**Azure Feedback Forum**][3], azure team will see it. Also, I will upvote your idea.
#Update:
----------
Currently, you can add a service principal to an AAD Group:
**Example:**
$spn = Get-AzureADServicePrincipal -SearchString "yourSpName"
$group = Get-AzureADGroup -SearchString "yourGroupName"
Add-AzureADGroupMember -ObjectId $($group.ObjectId) -RefObjectId $($spn.ObjectId)
----------
#Updated 2:
Recently, I also see lots of users want to assign roles to a service principal to let the service principal have some permissions to access to the app with a role.
I want to make clear here. Role-based authorized should be used for users, NOT applications. And it's not designed for applications. If you want to give some different permissions you may consider to assign application permissions to your service principal instead.
You can expose your Web App/API with application permissions by editing the Manifest in app registrations.
> You can go to Azure portal > Azure Active Directory > App registrations > Select your App > Manifest.
In `appRoles`, you can insert content like this:
{
"allowedMemberTypes": [
"Application"
],
"displayName": "Access to the settings data",
"id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
"isEnabled": true,
"description": "Administrators can access to the settings data in their tenant",
"value": "Settingsdata.ReadWrite.All"
},
Then, you can go another app registration you want to give permission > Settings > require permissions > Add > Search the application name you want to access > Choose the application permission you created before.
Therefore, your sp can obtain a token with that application permissions in token claims.
Also, for authorization from the resource, you need to add code logic to give control policy for that token with `Settingsdata.ReadWrite.All` claim.
----------
#Update 3
Currently, you can add the service principal to one AAD Group directly in Azure portal:
[![enter image description here][4]][4]
[1]: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-coreapps-assign-user-azure-portal#how-do-i-assign-user-access-to-an-enterprise-app-in-the-azure-portal
[2]: https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles
[3]: https://feedback.azure.com/forums/169401-azure-active-directory
[4]: https://i.stack.imgur.com/By1pI.png
