Related features:

Related Powershell Guides:

How to list users and principals assigned to app roles using Graph PowerShell

The Get-MgServicePrincipalAppRoleAssignedTo cmdlet retrieves the users, groups, and service principals that have been assigned a specific app role from a resource application. This is useful for auditing who has permission to use the application's defined roles.

Get principals assigned to app roles using Graph PowerShell

Prerequisites

  • Before using the cmdlet, ensure that the Microsoft Graph PowerShell module is installed. If not, install it using this PowerShell command:
    Install-Module Microsoft.Graph -Scope CurrentUser
  • Also, use the following PowerShell command to connect to Microsoft Graph with the required permissions (e.g., AppRoleAssignment.Read.All):
    Connect-MgGraph -Scopes "AppRoleAssignment.Read.All"

Using the Get-MgServicePrincipalAppRoleAssignedTo cmdlet

Run the Graph PowerShell command below to retrieve users, groups, and service principals that have been assigned a specific app role. Replace <service-principal-id> with the required service principal object ID:

Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId <service-principal-id>

Examples

Example 1: Get all app role assignments assigned to a service principal

This Graph PowerShell command retrieves a list of principals that have been assigned a role for the specific resource application represented by the provided service principal ID:

Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId "abcdef12-3456-7890-abcd-ef1234567890"

Example 2: Limit returned assignments to five

This Graph PowerShell command restricts output to five assignments:

Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId "abcdef12-3456-7890-abcd-ef1234567890" -Top 5

Example 3: Filter assignments by principal type

This Graph PowerShell command shows only assignments where the principal type is User:

Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId "abcdef12-3456-7890-abcd-ef1234567890" -Filter "principalType eq 'User'"

Supported parameters

The following are some essential parameters that can be used along with the Get-MgServicePrincipalAppRoleAssignedTo command:

Parameters Description
-ServicePrincipalId Specifies the service principal's object ID
-Top Limits the number of results returned
-Filter Filters results based on specified criteria
-All Retrieves all results without paging
-Property Selects certain properties to be returned in the output

Limitations of using Microsoft Graph PowerShell to get app role assignments

  • PowerShell commands can get complicated with different use cases and scenarios.
  • IT admins can spend a lot of time debugging errors, which in turn negatively impacts productivity.
  • Delegation can get tricky since technicians require elevated permissions.

How ADManager Plus helps you manage Microsoft Entra ID

ADManager Plus, an identity governance and administration solution with comprehensive Microsoft Entra ID management and reporting capabilities, simplifies complex admin tasks from a single, user-friendly console:

Perform script-free Microsoft Entra ID management and reporting with ADManager Plus

Try it now for free
 
  • Get app role assignments granted to service principals using Microsoft Graph PowerShell
  • Examples
  • Supported parameters
  • Limitations of using Microsoft Graph PowerShell to get app role assignments
  • How ADManager Plus helps you manage Microsoft Entra ID
The one-stop solution to Active Directory Management and Reporting
Highlights AD Management Active Directory Reports Exchange Management Popular products
Email Download Link Email the ADManager Plus download link