Azure AD Graph API: Is it possible to enumerate all groups associated with an application role?

175 views Asked by At

Is it possible to enumerate all users and/or groups associated with an application role using Azure Active Directory Graph API? If not, is there a programmatic work-around (as opposed to using the portal with AD Premium)?

I'm using the Microsoft.Azure.ActiveDirectory.GraphClient Nuget package which wraps the AD Graph API to fetch application roles associated with an application instance. Unfortunately the AppRole object doesn't include a method to fetch mapped principals.

1

There are 1 answers

0
Yi Li On

If you know the service principal that is associated with an application role, you can query for all the objects associated with that service principal (which include all the app roles):

https://graph.windows.net/myorganization/servicePrincipals/#objectId#/appRoleAssignedTo?api-version=1.5

The documentation for app role assignments are here: https://msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#AppRoleAssignmentEntity