Home
PowerShell
Get-MgServicePrincipalAppRoleAssignment

How to get application role assignments for service principals using Microsoft Graph PowerShell

The Get-MgServicePrincipalAppRoleAssignment cmdlet retrieves the app role assignments granted to a specified service principal in Microsoft Entra ID (previously Azure AD). App role assignments are delegated permissions granted to service principals (applications), allowing them to access specific application roles or APIs.

Get application role assignments using Microsoft Graph PowerShell

Prerequisites

Before using the cmdlet, ensure that the Microsoft Graph PowerShell module is installed. If not, install it using the following PowerShell command:
Install-Module Microsoft.Graph -Scope CurrentUser
Also, use the following PowerShell command to connect to Microsoft Graph with the required permissions (e.g., AppRoleAssignment.Read.All):
Connect-MgGraph -Scopes "AppRoleAssignment.Read.All"

Using the Get-MgServicePrincipalAppRoleAssignment cmdlet

Run the cmdlet below in Microsoft Graph PowerShell to retrieve all application role assignments of a service principal. Replace <service-principal-id> with the actual service principal object ID:


                              Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId <service-principal-id>

Examples

Example 1: Get all application role assignments for a service principal

This Graph PowerShell command retrieves all application role assignments associated with the specified service principal ID:


                              Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId "01234567-89ab-cdef-0123-456789abcdef"

Example 2: Filter application role assignments where the resource ID equals a specific value

This Graph PowerShell command filters the assignments to display only those with the specified resource (target application) ID:


                              Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId "01234567-89ab-cdef-0123-456789abcdef" -Filter "resourceId eq 'fedcba98-7654-3210-fedc-ba9876543210'"

Supported parameters

The following are some essential parameters that can be used along with the Get-MgServicePrincipalAppRoleAssignment cmdlet:

Parameters	Description
-ServicePrincipalId	Specifies the ID of the service principal to query
-Top	Limits the number of results returned in the output
-Filter	Filters the results based on specified criteria
-All	Retrieves all results without paging (if supported)
-Property	Selects specific properties to be returned in the output

Limitations of using Microsoft Graph PowerShell to get application role assignments

PowerShell commands can get complex with different use cases and scenarios.
IT admins can spend a lot of time troubleshooting errors, which in turn negatively impacts productivity.
Delegation can get tricky since technicians require elevated permissions.

How ADManager Plus helps you manage Microsoft Entra ID

ADManager Plus, an identity governance and administration solution with comprehensive Microsoft Entra ID management and reporting capabilities, simplifies complex admin tasks from a single, user-friendly console:

Manage Entra ID users, contacts, groups, licenses, and other objects with a script-free, centralized console.
Reduce human errors by automating user provisioning, deprovisioning, and license assignment across various platforms.
Delegate Entra ID tasks to technicians without elevating their native privileges.
Keep a watchful eye with 200+ prepackaged reports for your Entra ID and AD environments.
Monitor delegated activities through smart workflows.
Ensure business continuity with AD, Entra ID, and Google Workspace backup and recovery.

Perform script-free Microsoft Entra ID management and reporting with ADManager Plus

Try it now for free

Get application role assignments using Microsoft Graph PowerShell
Examples
Supported parameters
Limitations of using Microsoft Graph PowerShell to get application role assignments
How ADManager Plus helps you manage Microsoft Entra ID

Related features:

Related Powershell Guides: