Is it possible to enumerate all users and/or groups associated with an application role using Azure Active Directory Graph API? If not, is there a programmatic work-around (as opposed to using the portal with AD Premium)?
I'm using the Microsoft.Azure.ActiveDirectory.GraphClient Nuget package which wraps the AD Graph API to fetch application roles associated with an application instance. Unfortunately the AppRole object doesn't include a method to fetch mapped principals.
If you know the service principal that is associated with an application role, you can query for all the objects associated with that service principal (which include all the app roles):
https://graph.windows.net/myorganization/servicePrincipals/#objectId#/appRoleAssignedTo?api-version=1.5
The documentation for app role assignments are here: https://msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#AppRoleAssignmentEntity