Share via

Get-MgServicePrincipal returning empty AppRoles

Filippo Iacobellis 90 Reputation points
2024-12-20T16:43:27.13+00:00

Hi all, using command Get-MgServicePrincipal returns empty AppRoles array even though there are permissions assigned through Microsoft Entra:

User's image

User's image

If I use Get-MgServicePrincipalAppRoleAssignment I correctly get 7 objects (which correspond to the 7 App-assigned permissions which I want to get). The problem is this method only returns AppRole id which is not useful at all.

I need the display name of the role (e.g. User.ReadWrite.All) as shown here (see Response of example 2): https://learn.microsoft.com/en-us/graph/api/serviceprincipal-get?view=graph-rest-1.0&tabs=http#example-2-retrieve-the-specific-properties-of-a-service-principal

I tried standard PowerShell SDK command, the beta version and also the Graph API call. Nothing worked. Tried it on many different apps in the same tenant, still nothing.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,633 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,622 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 111K Reputation points MVP
    2024-12-22T15:55:46.59+00:00

    Two things. The Get-MgApplication cmdlet covers the application object (where permissions are defined), not the service principal (where permissions are consented). More importantly, the AppRoles property does not give you the resource permissions (such as the ones the app requests from the Graph API), but the "roles" defined by the app itself (i.e. the app can have a "user" role, or "admin" one, etc).

    Instead, if you are interested in the permissions granted for a given app, you should be looking at the service principal object, and the AppRoleAssignments resource, as you have noted above. So you are on the correct path here, but unfortunately there is no direct way to "resolve" those GUIDs to human readable values. To do that, you will have to fetch the role definitions out of the underlying resource API itself, in this case the service principal belonging to the Graph API:

    Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

    Specifically, to "resolve" any given Graph API (application) permissions, you can do something like this:

    Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'" | select -ExpandProperty AppRoles | ? {$_.Id -eq 'd07a8cc0-3d51-4b77-b3b0-32704d1f69fa'}

    Of course, if you need to do this for few dozen permission entries, it's better just to store the Id and DisplayName properties of all permissions in a hash-table and match them, instead of querying the same thing repeatedly. You can take a look at this sample script where I am using this approach: https://www.michev.info/blog/post/5922/reporting-on-entra-id-integrated-applications-service-principals-and-their-permissions

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.