Get-EntraUserAppRoleAssignment

Module:

Microsoft.Graph.Entra

Get a user application role assignment.

Syntax

Get-EntraUserAppRoleAssignment
   -ObjectId <String>
   [-All]
   [-Top <Int32>]
   [-Property <String[]>]
   [<CommonParameters>]

Description

The Get-EntraUserAppRoleAssignment cmdlet gets a user application role assignment.

Examples

Example 1: Get a user application role assignment

Connect-Entra -Scopes 'AppRoleAssignment.ReadWrite.All','Directory.Read.All'
$UserId = (Get-EntraUser -Top 1).ObjectId
Get-EntraUserAppRoleAssignment -ObjectId $UserId

DeletedDateTime Id                                          AppRoleId                            CreatedDateTime     PrincipalDisplayName   PrincipalId                          PrincipalType ResourceDisplayName
--------------- --                                          ---------                            ---------------     --------------------   -----------                          ------------- -------------------
                0ekrQWAUYUCO7cyiA_A1bC2dE3fH4i             00001111-aaaa-2222-bbbb-3333cccc4444 31-07-2023 04:29:57 Avery Smith            aaaaaaaa-bbbb-cccc-1111-222222222222 User          Test-App-1
                0ekrQWAUYUCO7cyiA_C2dE3fH4iJ5k             11112222-bbbb-3333-cccc-4444dddd5555 12-07-2023 10:09:17 Avery Smith            aaaaaaaa-bbbb-cccc-1111-222222222222 User          Test-App-2
                0ekrQWAUYUCO7cyiA_H4iJ5kL6mN7o             22223333-cccc-4444-dddd-5555eeee6666 13-09-2023 16:41:53 Avery Smith            aaaaaaaa-bbbb-cccc-1111-222222222222 User          Test-App-5
                0ekrQWAUYUCO7cyiA_J5kL6mN7oP8q             33334444-dddd-5555-eeee-6666ffff7777 13-09-2023 17:28:17 Avery Smith            aaaaaaaa-bbbb-cccc-1111-222222222222 User          Test-App-7

This example retrieves a user application role assignment for the user in $UserId. You can use the command Get-EntraUser to get Service principal Object ID.

• -ObjectId parameter specifies the object ID of a user(as a UserPrincipalName or ObjectId).

Example 2: Get all application role assignments

Connect-Entra -Scopes 'AppRoleAssignment.ReadWrite.All','Directory.Read.All'
Get-EntraUserAppRoleAssignment -ObjectId 'aaaaaaaa-bbbb-cccc-1111-222222222222' -All

DeletedDateTime Id                                          AppRoleId                            CreatedDateTime     PrincipalDisplayName   PrincipalId                          PrincipalType ResourceDisplayName
--------------- --                                          ---------                            ---------------     --------------------   -----------                          ------------- -------------------
                0ekrQWAUYUCO7cyiA_A1bC2dE3fH4i             00001111-aaaa-2222-bbbb-3333cccc4444 31-07-2023 04:29:57 Avery Smith            aaaaaaaa-bbbb-cccc-1111-222222222222 User          Test-App-1
                0ekrQWAUYUCO7cyiA_C2dE3fH4iJ5k             11112222-bbbb-3333-cccc-4444dddd5555 12-07-2023 10:09:17 Avery Smith            aaaaaaaa-bbbb-cccc-1111-222222222222 User          Test-App-2 
                0ekrQWAUYUCO7cyiA_H4iJ5kL6mN7o             22223333-cccc-4444-dddd-5555eeee6666 13-09-2023 16:41:53 Avery Smith            aaaaaaaa-bbbb-cccc-1111-222222222222 User          Test-App-5
                0ekrQWAUYUCO7cyiA_J5kL6mN7oP8q             33334444-dddd-5555-eeee-6666ffff7777 13-09-2023 17:28:17 Avery Smith            aaaaaaaa-bbbb-cccc-1111-222222222222 User          Test-App-7

This example demonstrates how to retrieve all application role assignment for the specified user.

• -ObjectId parameter specifies the object ID of a user(as a UserPrincipalName or ObjectId).

Example 3: Get top two application role assignments

Connect-Entra -Scopes 'AppRoleAssignment.ReadWrite.All','Directory.Read.All'
Get-EntraUserAppRoleAssignment -ObjectId 'aaaaaaaa-bbbb-cccc-1111-222222222222' -Top 2

DeletedDateTime Id                                          AppRoleId                            CreatedDateTime     PrincipalDisplayName   PrincipalId                          PrincipalType ResourceDisplayName
--------------- --                                          ---------                            ---------------     --------------------   -----------                          ------------- -------------------
                0ekrQWAUYUCO7cyiA_A1bC2dE3fH4i             00001111-aaaa-2222-bbbb-3333cccc4444 31-07-2023 04:29:57 Avery Smith            aaaaaaaa-bbbb-cccc-1111-222222222222 User          Test-App-1
                0ekrQWAUYUCO7cyiA_C2dE3fH4iJ5k             11112222-bbbb-3333-cccc-4444dddd5555 12-07-2023 10:09:17 Avery Smith            aaaaaaaa-bbbb-cccc-1111-222222222222 User          Test-App-2

This example demonstrates how to retrieve top two application role assignment for the specified user.

• -ObjectId parameter specifies the object ID of a user(as a UserPrincipalName or ObjectId).

Parameters

-All

List all pages.

Type:	System.Management.Automation.SwitchParameter
Position:	Named
Default value:	False
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-ObjectId

Specifies the ID of a user (as a UserPrincipalName or ObjectId) in Microsoft Entra ID.

Type:	System.String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False

-Property

Specifies properties to be returned.

Type:	System.String[]
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-Top

Specifies the maximum number of records to return.

Type:	System.Int32
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

Related Links

• Get-EntraUser
• New-EntraUserAppRoleAssignment
• Remove-EntraUserAppRoleAssignment