Get Azure Active Directory application users and roles

Jeremy picture Jeremy · Sep 6, 2016 · Viewed 12.2k times · Source

I've setup an application in Azure AD Premium and made user assignment required to access the application. I've added custom app roles to the application manifest. I can assign users with a role to the application.

How can you get a list of all users that are assigned to the application and their assigned role?

Answer

Philippe Signoret picture Philippe Signoret · Sep 7, 2016

Azure portal (preview)

In the new Azure portal, under "Enterprise applications" > (your app) > "Users and groups", you'll now see only the list of users who are assigned to the application, as well as the app role they are assigned to. You can also filter and sort by app role. Here's an example:

Azure portal / Enterprise applications / Users and groups

Note: As of September 2016, the Azure AD management experience in the new Azure portal is in preview.

Classic Azure portal

Under and application's "Users and groups" you can list all users (and what their assignment state is), as well as all groups:

[Classic Azure portal / Active Directory / Application / Users and groups]

PowerShell

Using the new preview (as of Sept 2016) Azure AD PowerShell module, you can use the following example:

# Get all service principals, and for each one, get all the app role assignments, 
# resolving the app role ID to it's display name. Output everything to a CSV.
Get-AzureADServicePrincipal | % {

  # Build a hash table of the service principal's app roles. The 0-Guid is
  # used in an app role assignment to indicate that the principal is assigned
  # to the default app role (or rather, no app role).
  $appRoles = @{ "$([Guid]::Empty.ToString())" = "(default)" }
  $_.AppRoles | % { $appRoles[$_.Id] = $_.DisplayName }

  # Get the app role assignments for this app, and add a field for the app role name
  Get-AzureADServiceAppRoleAssignment -ObjectId ($_.ObjectId) | % {
    $_ | Add-Member "AppRoleDisplayName" $appRoles[$_.Id] -Passthru
  }
} | Export-Csv "app_role_assignments.csv" -NoTypeInformation

Azure AD Graph API

With Azure AD Graph API, you can do the equivalent of what the PowerShell script does, above (in fact, the new Azure AD PowerShell module uses Azure AD Graph API for the majority of the requests).

List all service principals:

GET https://graph.windows.net/{tenant-id}/servicePrincipals

List a service principal's app role assignments:

GET https://graph.windows.net/{tenant-id}/servicePrincipals/{object-id}/appRoleAssignments