TechQA.

Microsoft Graph API - Get users with specified app roles

118 views Asked by At

I have a question about the Graph API. I need to download all users who have been assigned the app role "Role" in "ApplicationA". I need it to download all users with the required app role to send an email. I have tried various ways, through the list of users using the following API:

https://graph.microsoft.com/v1.0/users?$expand=appRoleAssignments&$count=true&$filter=appRoleAssignments/any(w:w/appRoleId eq {guid})

However this returns the following error, I have of course tried similar options.

{
    "error": {
        "code": "Request_UnsupportedQuery",
        "message": "Property 'appRoleId' does not exist as a declared property or extension property.",
        "innerError": {
            "date": "2024-02-28T20:49:49",
            "request-id": "bf8991a4-82e9-4136-9664-1cebc1718ae0",
            "client-request-id": "bf8991a4-82e9-4136-9664-1cebc1718ae0"
        }
    }
}

I also tried using servicePrincipals. But this returns all users/applications assigned to the service principal and not just the role I need, and the filtering I tried with OData didn't work. Many items is downloaded:

https://graph.microsoft.com/v1.0/servicePrincipals(appId='{guid}')/appRoleAssignedTo

Do you know of a better solution? Thanks

c# asp.net-core microsoft-graph-api azure-ad-graph-api microsoft-entra-id
Original Q&A
2

There are 2 answers

0
Rukmini On

Note that: appRoleAssignments endpoint doesn't support filtering on appRoleId. Refer this Microsoft QnA by CarlZhao-MSFT. Hence getting users with specified app roles is not possible.

Assigned users and groups in the Enterprise application:

enter image description here

As a workaround you can list the roles assigned to the users and groups based on the resourceID.

For Users:

https://graph.microsoft.com/v1.0/Users/UserID/appRoleAssignments?$filter=resourceId eq ServicePrincipalObjID

enter image description here

For groups:

https://graph.microsoft.com/v1.0/groups/GroupID/appRoleAssignments?$filter=resourceId eq ServicePrincipalObjID

enter image description here

0
Tiny Wang On

It seems that getting users with specified app roles is not supported yet. And the API document doesn't have a description which support the filter.

enter image description here

Therefore, we can only do the filter by ourselves. Code snippet below worked in my side.

using Microsoft.Graph;
using Azure.Identity;

var scopes = new[] { "https://graph.microsoft.com/.default" };
var tenantId = "tenantId ";
var clientId = "clientId ";
var clientSecret = "clientSecret ";
var clientSecretCredential = new ClientSecretCredential(
                tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);
var res = await graphClient.Users.GetAsync((requestConfiguration) =>
{
    requestConfiguration.QueryParameters.Expand = new string[] { "appRoleAssignments($select=appRoleId,resourceDisplayName)" };
});
List<User> users = new List<User>();
foreach (var tempUser in res.Value) {
    var roles = tempUser.AppRoleAssignments;
    foreach(var role in roles) {
        if (role.AppRoleId.ToString() == "role_id_here")
        {
            users.Add(tempUser);
            break;
        }
    }
}

Related Questions in C#

Related Questions in ASP.NET-CORE

Related Questions in MICROSOFT-GRAPH-API

Related Questions in AZURE-AD-GRAPH-API

Related Questions in MICROSOFT-ENTRA-ID

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions