Assign AD roles using Azure PowerShell

I'm trying to assign User Administrator AD role to Azure Function App managed Identity through Azure DevOps YAML pipeline using AzurePowerShell@5 task.
Here is what I tried, but it gives me: ##[error]Object reference not set to an instance of an object.

[CmdletBinding()]
param (
    $functionAppDeltaSyncName,
    $logicAppName_d365hrpublisher,
    $logicAppName_d365hrsubscriber,
    $resourceGroupName
)

Install-Module -Name AzureADPreview -Force

$appArray = $functionAppDeltaSyncName, $logicAppName_d365hrpublisher, $logicAppName_d365hrsubscriber

$aadAccessToken = Get-AzAccessToken -ResourceTypeName AadGraph
$context = Get-AzContext
Connect-AzureAD -AadAccessToken $aadAccessToken.Token -AccountId $context.Account.Id -TenantId $context.tenant.id

For ($x=0; $x -lt $appArray.Length; $x++)
{
    $managedIdentityObjectId = (Get-AzFunctionApp -Name $appArray[$x] -ResourceGroupName $resourceGroupName).IdentityPrincipalId


    $roleUserAdministrator = Get-AzureADMSRoleDefinition -Filter "displayName eq 'User Administrator'"

    $IsAppRoleAssigned_UserAdministrator = Get-AzureADMSRoleAssignment -Id $managedIdentityObjectId |
        Where-Object { $_.RoleDefinitionId -eq $roleUserAdministrator.Id }

    if ($null -eq $IsAppRoleAssigned) {
        New-AzureADMSRoleAssignment `
            -DirectoryScopeId '/' `
            -RoleDefinitionId $IsAppRoleAssigned_UserAdministrator.Id `
            -PrincipalId $managedIdentityObjectId
    }
        
}

In the code you have provided check the " if condition" > if ($null -eq $IsAppRoleAssigned)

powershell:

  $IsAppRoleAssigned_UserAdministrator = Get-AzureADMSRoleAssignment -Filter "principalId eq '$managedIdentityObjectId' " |
        Where-Object { $_.RoleDefinitionId -eq $aadDirectoryRole.Id }

    if ($null -eq $IsAppRoleAssigned) {
        New-AzureADMSRoleAssignment `
            -DirectoryScopeId '/' 
            -RoleDefinitionId   `
            -PrincipalId $managedIdentityObjectId
    }

where $IsAppRoleAssigned is declared nowhere , but $IsAppRoleAssigned_UserAdministrator is the declared variable.

It can be corrected it to resolve the error almost.

Also when $IsAppRoleAssigned_UserAdministrator is null and has no value $IsAppRoleAssigned_UserAdministrator.RoleDefinitionId does not contain any value, in that scenario following command does not work as RoleDefinitionId will be null.

That is where you might have got “Object reference not set to an instance of an object”:

Check the correct code

Instead get role definitionId of User Administrator using below command ($roledefId_UserAdmin
) to assign while creating new role assignment in if condition.

    $functionApp = Get-AzFunctionApp -ResourceGroupName $resourceGroupName -Name $functionApp
       
 $functionApp.IdentityPrincipalId
        
        $managedIdentityObjectId=$functionApp.IdentityPrincipalId
        
Write-host “function App principal id is fetched"
  
  $roleUserAdministrator=Get-AzureADMSRoleDefinition -Filter "displayName eq 'User Administrator'" 
  
  $roledefId_UserAdmin=Get-AzureADMSRoleAssignment  |Where-Object { 
$_.RoleDefinitionId -eq $aadDirectoryRole.Id } 
    
     
   $IsAppRoleAssigned_UserAdministrator = Get-AzureADMSRoleAssignment -Filter "principalId eq '$managedIdentityObjectId' " |
      Where-Object { $_.RoleDefinitionId -eq $roleUserAdministrator.Id }
    
        if ($IsAppRoleAssigned_UserAdministrator -eq $null   ) {
            New-AzureADMSRoleAssignment `
                -DirectoryScopeId '/' `
                -RoleDefinitionId '$roledefId_UserAdmin.RoleDefinitionId'`
                -PrincipalId '$managedIdentityObjectId'`
        }

Check if the role is assigned to the service principal:

Get-AzureADDirectoryRoleMember -ObjectId “942fxxx-xxx699449b8”

Here ObjectId is the objectId of the Role “User Administrator”

Reference : Get-AzureADMSRoleAssignment (AzureAD) | Microsoft Learn