Assigning application roles to a service principal is central to defining how applications interact with resources and other services. For IT admins, this process can get complicated when multiple applications need different permission levels or when service principals extend across environments. The main hurdles are mapping roles accurately, preventing over-permissions, and keeping assignments aligned with security and compliance standards. Luckily, there are dependable methods to review, assign, and manage application roles effectively.
Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All"
# Define variables
$spId = "<ServicePrincipalId>" # The object ID of the service principal
$appRoleId = "<AppRoleId>" # The ID of the application role you want to assign
$resourceId = "<ResourceServicePrincipalId>" # The service principal representing the app/resource
# Assign the role
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $spId -PrincipalId $spId -ResourceId $resourceId -AppRoleId $appRoleId
Assign the Reader application role of "TestApp" to the service principal representing "TestBot".
Example query:
Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All"
# Assign the role
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId "72c3f3f9-2a17-4f55-b4b3-efb7cdb3f82e" `
-PrincipalId "72c3f3f9-2a17-4f55-b4b3-efb7cdb3f82e" `
-ResourceId "8f96c8a2-22d1-4e7a-b2e5-7b9dc54b99a9" `
-AppRoleId "a1b2c3d4-5678-90ab-cdef-1234567890ab"
Example output:
Id: 3f5d6a7b-1234-4e5f-8a9b-0c1d2e3f4a5b
PrincipalId: 72c3f3f9-2a17-4f55-b4b3-efb7cdb3f82e
ResourceId: 8f96c8a2-22d1-4e7a-b2e5-7b9dc54b99a9
AppRoleId: a1b2c3d4-5678-90ab-cdef-1234567890ab
CreationDateTime: 9/25/2025 14:32:10
The syntax is as follows:
New-MgServicePrincipalAppRoleAssignment
-ServicePrincipalId <string>
[-ResponseHeadersVariable <string>]
[-AdditionalProperties <hashtable>]
[-AppRoleId <string>]
[-CreatedDateTime <datetime>]
[-DeletedDateTime <datetime>]
[-Id <string>]
[-PrincipalDisplayName <string>]
[-PrincipalId <string>]
[-PrincipalType <string>]
[-ResourceDisplayName <string>]
[-ResourceId <string>]
[-Break]
[-Headers <IDictionary>]
[-HttpPipelineAppend <SendAsyncStep[]>]
[-HttpPipelinePrepend <SendAsyncStep[]>]
[-Proxy <uri>]
[-ProxyCredential <pscredential>]
[-ProxyUseDefaultCredentials]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Assign the Contributor application role of the “TestApp” application to a service principal representing “TestBot”.
Example query:
Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All"
# Variables
$spId = "72c3f3f9-2a17-4f55-b4b3-efb7cdb3f82e" # Service principal receiving the role
$appRoleId = "b2c3d4e5-6789-01ab-cdef-2345678901bc" # Contributor application role to assign
$resourceId = "8f96c8a2-22d1-4e7a-b2e5-7b9dc54b99a9" # Application/service principal providing the role
# Assign the role
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $spId -PrincipalId $spId -ResourceId $resourceId -AppRoleId $appRoleId
Example output:
Id: 4a6b7c8d-2345-5f6g-9b0c-1d2e3f4g5h6i
PrincipalId: 72c3f3f9-2a17-4f55-b4b3-efb7cdb3f82e
PrincipalType: ServicePrincipal
ResourceId: 8f96c8a2-22d1-4e7a-b2e5-7b9dc54b99a9
ResourceDisplayName: TestApp
AppRoleId: b2c3d4e5-6789-01ab-cdef-2345678901bc
CreatedDateTime: 9/25/2025 14:45:20
This output shows that the service principal has been assigned the Contributor application role for the Testapplication application. PrincipalId identifies the service principal receiving the role, ResourceId and ResourceDisplayName indicate the application, and AppRoleId specifies the assigned role. Id is the unique identifier for this assignment, and CreatedDateTime shows when it was created.
ADManager Plus makes it easier for admins to manage Microsoft 365 with a simple, centralized console.
Create, modify, and manage users, groups, contacts, and licenses at scale. Perform bulk management, adjust memberships, assign or revoke licenses, and streamline day-to-day administrative work.
Schedule and export over 200 prebuilt reports, including logon activity and account status reports. Take quick actions directly from the reports.
Track privilege assignments, spot risky accounts, map potential attack paths, enforce compliance, and strengthen your Zero Trust strategy.
Automate repetitive tasks like bulk user changes, license management, and group updates. Save time on routine administrative work.
Use role-based access delegation to distribute responsibilities safely. Empower teams to handle day-to-day tasks while you maintain visibility and control.
When registering an application in the Microsoft Entra admin center, define roles with precise permission scopes to enforce fine-grained access control.
Use reporting and delegation to track, review, and adjust service principal permissions on a routine basis, ensuring security and compliance stay intact.
Set up automation to update or revoke service principal roles as applications are provisioned, modified, or retired, keeping permissions accurate and up to date.