Home
PowerShell
Get-MgUserAppRoleAssignment

How to get Microsoft Entra ID user app role assignments using Get-MgUserAppRoleAssignment

Getting Microsoft Entra ID user app roles

Getting the app role lists for users in Microsoft Entra ID is necessary for admins to ensure that users have the appropriate permissions within enterprise apps, preventing unauthorized access or privilege escalation. This visibility helps enforce least privilege access, streamline role audits, and maintain compliance with security policies.

Get Microsoft Entra ID user app role assignments using Microsoft Graph PowerShell

Prerequisites

Before using the Get-MgUserAppRoleAssignment cmdlet, ensure the following:

The Microsoft Graph PowerShell module is installed. If not, install it using this script:
Install-Module Microsoft.Graph -Scope CurrentUser
Connect to Microsoft Graph PowerShell with the required permissions to fetch Microsoft Entra ID user app role assignments with this script:
Connect-MgGraph -Scopes "Directory.Read.All"

Using the Get-MgUserAppRoleAssignment command to get Microsoft Entra ID user app role assignments

The Get-MgUserAppRoleAssignment cmdlet can be used in Microsoft Graph PowerShell to fetch Microsoft Entra ID user app role assignments. Here's the syntax:


                                    Get-MgUserAppRoleAssignment 

                                    -UserId <String> 

                                    [-ExpandProperty <String[]>] 

                                    [-Property <String[]>] 

                                    [-Filter <String>] 

                                    [-Search <String>] 

                                    [-Skip <Int32>] 

                                    [-Sort <String[]>] 

                                    [-Top <Int32>] 

                                    [-ConsistencyLevel <String>] 

                                    [-ResponseHeadersVariable <String>] 

                                    [-Headers <IDictionary>] 

                                    [-PageSize <Int32>] 

                                    [-All] 

                                    [-CountVariable <String>] 

                                    [-ProgressAction <ActionPreference>] 

                                    [<CommonParameters>]

An example use case using the Get-MgUserAppRoleAssignment cmdlet

Listing all the assigned app roles for a particular user

Get-MgUserAppRoleAssignment -UserId <"user_id"> | Format-List Id, AppRoleID, CreationTimeStamp, PrincipalDisplayName,PrincipalId, PrincipalType, ResourceDisplayName

In this command, replace user_id with the user's ID for whom you would like to list all the assigned app roles.

Supported parameters

The following table contains some parameters that can be used along with the Get-MgUserAppRoleAssignment command to fetch Microsoft Entra ID user app role assignments efficiently.

Parameters	Description
-All	This parameter retrieves all user app role assignments without default pagination limits.
-Filter	This parameter filters user app role assignments based on attributes and values.
-UserId	This parameter retrieves user app role assignments based on their unique identifiers, such as user principal name or object ID.
-Property	This parameter retrieves specific attributes of user app role assignments.
-ConsistencyLevel	This enables advanced query capabilities for improved performance.

Limitations of using Graph PowerShell scripts to get Microsoft Entra ID user app role assignments

While Microsoft Graph PowerShell allows domain ownership verification using Confirm-MgDomain, there are some limitations:

Graph PowerShell requires IT admins to upgrade from Azure AD PowerShell and have familiarity with PowerShell scripting.
The Microsoft Graph API imposes throttling limits, which may affect performance when fetching user app role assignments in bulk.
The scripts may require extra effort to format and export data for reporting purposes.
Technical expertise is needed to troubleshoot errors.
The lack of an intuitive interface makes the overall experience less user-friendly, particularly for those new to scripting.

Highlights of using ADManager Plus

Intuitive interface that streamlines the report generation process.
Comprehensive and customizable reports with options to schedule and automate report generation.
Supports on-the-fly management actions to manage users instantly.
Optimized for large-scale environments and does not require any scripts for bulk operations.
Delegate tasks to technicians without elevating their native privileges.
Keep a watchful eye on your IT environment with more than 200 pre-packaged reports.
Export reports in various formats, such as CSV or HTML, in a few clicks.

Say goodbye to PowerShell hassles and manage Microsoft Entra ID with ease using ADManager Plus

Try it now for free

Get Microsoft Entra ID users app role assignments using Microsoft Graph PowerShell
Limitations of using Graph PowerShell scripts to get Microsoft Entra ID users
Highlights of using ADManager Plus to get Microsoft Entra ID user app role assignments

Related features:

Related Powershell Guides: