Get-EntraUserAppRoleAssignment
Get a user application role assignment.
Syntax
Get-EntraUserAppRoleAssignment
-UserId <String>
[-All]
[-Top <Int32>]
[-Property <String[]>]
[<CommonParameters>] Description
The Get-EntraUserAppRoleAssignment cmdlet gets a user application role assignment.
To perform this operation in delegated scenarios using work or school accounts, the signed-in user must have one of the following least privileged roles, or a custom role with the necessary permissions:
- Guest Inviter - Read app role assignments for users only
- Directory Readers
- Directory Synchronization Accounts - for Microsoft Entra Connect and Microsoft Entra Cloud Sync services
- Directory Writer
- Hybrid Identity Administrator
- Identity Governance Administrator
- Privileged Role Administrator
- User Administrator
- Application Administrator
- Cloud Application Administrator
Examples
Example 1: Get a user application role assignment
Connect-Entra -Scopes 'AppRoleAssignment.ReadWrite.All', 'Directory.Read.All'
Get-EntraUserAppRoleAssignment -UserId 'SawyerM@contoso.com'
DeletedDateTime Id AppRoleId CreatedDateTime PrincipalDisplayName PrincipalId PrincipalType ResourceDisplayName
--------------- -- --------- --------------- -------------------- ----------- ------------- -------------------
0ekrQWAUYUCO7cyiA_A1bC2dE3fH4i 00001111-aaaa-2222-bbbb-3333cccc4444 31-07-2023 04:29:57 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-1
0ekrQWAUYUCO7cyiA_C2dE3fH4iJ5k 11112222-bbbb-3333-cccc-4444dddd5555 12-07-2023 10:09:17 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-2
0ekrQWAUYUCO7cyiA_H4iJ5kL6mN7o 22223333-cccc-4444-dddd-5555eeee6666 13-09-2023 16:41:53 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-5
0ekrQWAUYUCO7cyiA_J5kL6mN7oP8q 33334444-dddd-5555-eeee-6666ffff7777 13-09-2023 17:28:17 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-7This example retrieves a user application role assignment for the user in $UserId. You can use the command Get-EntraUser to get Service principal Object ID.
-UserIdparameter specifies the object ID of a user(as a UserPrincipalName or ObjectId).
Example 2: Get all application role assignments
Connect-Entra -Scopes 'AppRoleAssignment.ReadWrite.All', 'Directory.Read.All'
Get-EntraUserAppRoleAssignment -UserId 'SawyerM@contoso.com' -All
DeletedDateTime Id AppRoleId CreatedDateTime PrincipalDisplayName PrincipalId PrincipalType ResourceDisplayName
--------------- -- --------- --------------- -------------------- ----------- ------------- -------------------
0ekrQWAUYUCO7cyiA_A1bC2dE3fH4i 00001111-aaaa-2222-bbbb-3333cccc4444 31-07-2023 04:29:57 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-1
0ekrQWAUYUCO7cyiA_C2dE3fH4iJ5k 11112222-bbbb-3333-cccc-4444dddd5555 12-07-2023 10:09:17 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-2
0ekrQWAUYUCO7cyiA_H4iJ5kL6mN7o 22223333-cccc-4444-dddd-5555eeee6666 13-09-2023 16:41:53 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-5
0ekrQWAUYUCO7cyiA_J5kL6mN7oP8q 33334444-dddd-5555-eeee-6666ffff7777 13-09-2023 17:28:17 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-7This example demonstrates how to retrieve all application role assignment for the specified user.
-UserIdparameter specifies the object ID of a user(as a UserPrincipalName or ObjectId).
Example 3: Get top two application role assignments
Connect-Entra -Scopes 'AppRoleAssignment.ReadWrite.All', 'Directory.Read.All'
Get-EntraUserAppRoleAssignment -UserId 'SawyerM@contoso.com' -Top 2
DeletedDateTime Id AppRoleId CreatedDateTime PrincipalDisplayName PrincipalId PrincipalType ResourceDisplayName
--------------- -- --------- --------------- -------------------- ----------- ------------- -------------------
0ekrQWAUYUCO7cyiA_A1bC2dE3fH4i 00001111-aaaa-2222-bbbb-3333cccc4444 31-07-2023 04:29:57 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-1
0ekrQWAUYUCO7cyiA_C2dE3fH4iJ5k 11112222-bbbb-3333-cccc-4444dddd5555 12-07-2023 10:09:17 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-2This example demonstrates how to retrieve top two application role assignment for the specified user.
-UserIdparameter specifies the object ID of a user(as a UserPrincipalName or ObjectId).
Parameters
-All
List all pages.
| Type: | System.Management.Automation.SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Property
Specifies properties to be returned.
| Type: | System.String[] |
| Aliases: | Select |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Top
Specifies the maximum number of records to return.
| Type: | System.Int32 |
| Aliases: | Limit |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-UserId
Specifies the ID of a user (as a UserPrincipalName or ObjectId) in Microsoft Entra ID.
| Type: | System.String |
| Aliases: | ObjectId |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |