๐ง New: User Management Graph PowerShell Toolkit
Simplify user tasks like bulk creation, updates, password resets, deletions, license checks & more โ all from one place.
๐ Launch ToolkitGet-MgUserAppRoleAssignment Cmdlet Guide
The Get-MgUserAppRoleAssignment cmdlet allows administrators to retrieve application role assignments that have been granted to a specific user in Microsoft Entra ID (Azure AD). These role assignments typically represent the delegated access a user has been given to enterprise applications through service principal definitions.
Cmdlet Syntax
Get-MgUserAppRoleAssignment -UserId [-All] [-Top ] [-Filter ] [-Property ] [-ExpandProperty ] Key Parameter:
- -UserId: The unique identifier (GUID or UPN) of the user whose app role assignments you want to retrieve.
Usage Examples
- Retrieve All App Role Assignments for a Specific User
- Get Top 5 App Role Assignments
- Retrieve Specific Properties Only
- Export App Role Assignments to CSV
Get-MgUserAppRoleAssignment -UserId "samadmin@7xh7fj.onmicrosoft.com" |
Format-List Id, AppRoleID, CreationTimestamp, PrincipalDisplayName, PrincipalId, PrincipalType, ResourceDisplayName
This command fetches all app role assignments for the specified user and formats them into a readable list.
Get-MgUserAppRoleAssignment -UserId "alex.johnson@domain.com" -Top 5
Limits the result to the first 5 app role assignments for quicker retrieval and testing.
Get-MgUserAppRoleAssignment -UserId "alex.johnson@domain.com" -Property "AppRoleId", "ResourceDisplayName"
This command reduces the response payload by retrieving only the essential fields.
Get-MgUserAppRoleAssignment -UserId "alex.johnson@domain.com" |
Select-Object AppRoleId, ResourceDisplayName, PrincipalId |
Export-Csv -Path "UserAppRoleAssignments.csv" -NoTypeInformationUseful for audit or reporting purposes.
Cmdlet Tips
- Use the -All switch if your environment contains a large number of assignments and you want to bypass paging.
- Use Select-Object and Export-Csv for cleaner reporting or dashboards.
- Combine with Get-MgServicePrincipal to look up details of assigned apps using ResourceId.
Use Cases
- ๐ Audit User Access: Ensure users have only the necessary permissions assigned to them.
- ๐ฎ Security Reviews: Identify apps and roles a user has access to, especially during offboarding.
- ๐ Reporting & Compliance Export role assignments for periodic reviews or compliance reports.
- ๐ ๏ธ Debugging Access Issues: If a user cannot access an application, checking app role assignments can help identify misconfigurations.
Possible Errors & Solutions
| Error | Cause | Solution |
| AccessDenied or Insufficient privileges | The signed-in user doesnโt have permission to call this API. | Ensure the signed-in account has the required Directory.Read.All or User.Read.All delegated or application permissions |
| User not found | The -UserId value provided is incorrect or does not exist. | Verify the user ID (can be UPN or GUID). Try: Get-MgUser -UserId "samadmin@domain.com" |
| Invalid filter clause | The -Filter syntax is incorrect | Refer to the OData filter query format and validate property names before use. |
Conclusion
The Get-MgUserAppRoleAssignment cmdlet is essential for gaining insights into what applications and roles a user has been assigned in your Microsoft 365 tenant. Whether you're auditing, troubleshooting, or just curious, this cmdlet provides a reliable way to uncover role-based access across apps. Use it in combination with CSV export and service principal queries to build a complete access matrix for your environment.