M365Corner

๐Ÿ”ง New: User Management Graph PowerShell Toolkit

Simplify user tasks like bulk creation, updates, password resets, deletions, license checks & more โ€” all from one place.

๐Ÿš€ Launch Toolkit
M365 PowerShell

Get-MgUserAppRoleAssignment Cmdlet Guide

The Get-MgUserAppRoleAssignment cmdlet allows administrators to retrieve application role assignments that have been granted to a specific user in Microsoft Entra ID (Azure AD). These role assignments typically represent the delegated access a user has been given to enterprise applications through service principal definitions.


Cmdlet Syntax

Get-MgUserAppRoleAssignment -UserId  [-All] [-Top ] [-Filter ] [-Property ] [-ExpandProperty ]

Key Parameter:

  • -UserId: The unique identifier (GUID or UPN) of the user whose app role assignments you want to retrieve.

Usage Examples

  1. Retrieve All App Role Assignments for a Specific User
    2. Get-MgUserAppRoleAssignment -UserId "samadmin@7xh7fj.onmicrosoft.com" |
Format-List Id, AppRoleID, CreationTimestamp, PrincipalDisplayName, PrincipalId, PrincipalType, ResourceDisplayName

    This command fetches all app role assignments for the specified user and formats them into a readable list.

  2. Get Top 5 App Role Assignments
    3. Get-MgUserAppRoleAssignment -UserId "alex.johnson@domain.com" -Top 5

    Limits the result to the first 5 app role assignments for quicker retrieval and testing.

  3. Retrieve Specific Properties Only
    4. Get-MgUserAppRoleAssignment -UserId "alex.johnson@domain.com" -Property "AppRoleId", "ResourceDisplayName"

    This command reduces the response payload by retrieving only the essential fields.

  4. Export App Role Assignments to CSV
    5. Get-MgUserAppRoleAssignment -UserId "alex.johnson@domain.com" |
Select-Object AppRoleId, ResourceDisplayName, PrincipalId |
Export-Csv -Path "UserAppRoleAssignments.csv" -NoTypeInformation

    Useful for audit or reporting purposes.


Cmdlet Tips

  • Use the -All switch if your environment contains a large number of assignments and you want to bypass paging.
  • Use Select-Object and Export-Csv for cleaner reporting or dashboards.
  • Combine with Get-MgServicePrincipal to look up details of assigned apps using ResourceId.

Use Cases

  • ๐Ÿ” Audit User Access: Ensure users have only the necessary permissions assigned to them.
  • ๐Ÿ‘ฎ Security Reviews: Identify apps and roles a user has access to, especially during offboarding.
  • ๐Ÿ“Š Reporting & Compliance Export role assignments for periodic reviews or compliance reports.
  • ๐Ÿ› ๏ธ Debugging Access Issues: If a user cannot access an application, checking app role assignments can help identify misconfigurations.

Possible Errors & Solutions

Error Cause Solution
AccessDenied or Insufficient privileges The signed-in user doesnโ€™t have permission to call this API. Ensure the signed-in account has the required Directory.Read.All or User.Read.All delegated or application permissions
User not found The -UserId value provided is incorrect or does not exist. Verify the user ID (can be UPN or GUID). Try: Get-MgUser -UserId "samadmin@domain.com"
Invalid filter clause The -Filter syntax is incorrect Refer to the OData filter query format and validate property names before use.

๐Ÿ’ก App Role Assignments Include All Service Principal Types

The Get-MgUserAppRoleAssignment cmdlet retrieves app roles assigned directly to a user via service principals, which represent Azure AD applications. These service principals can correspond to custom enterprise apps, Microsoft 365 services, or third-party integrations. This provides admins with visibility into the source of delegated permissions and access scopes.
๐Ÿ” Use Filtering to Target Specific Assignments

Combine Get-MgUserAppRoleAssignment with Where-Object or -Filter to isolate app role assignments for a specific service principal or app name. This helps narrow down role mapping for auditing or compliance purposes.

Frequently Asked Questions

  • What does Get-MgUserAppRoleAssignment return?
    The cmdlet retrieves all app role assignments granted to a specific user in Microsoft Entra ID (Azure AD). These include both direct app role assignments and delegated permissions via service principals for enterprise applications.
  • Can I use Get-MgUserAppRoleAssignment to find permissions granted through groups?
    No. This cmdlet only retrieves direct app role assignments made to a user. To inspect permissions assigned through group memberships, you must query the groupโ€™s app role assignments separately using Get-MgGroupAppRoleAssignment.
  • Is administrator consent required to use Get-MgUserAppRoleAssignment?
    Yes, the cmdlet requires the AppRoleAssignment.Read.All or Directory.Read.All permission in Microsoft Graph. Admin consent is necessary before users can run the command successfully.
  • How can I identify which app or service the role assignment belongs to?
    Each app role assignment contains a ResourceId, which maps to a Service Principal in your directory. You can use: Get-MgServicePrincipal -ServicePrincipalId <ResourceId> to fetch the name and details of the corresponding application.

Conclusion

The Get-MgUserAppRoleAssignment cmdlet is essential for gaining insights into what applications and roles a user has been assigned in your Microsoft 365 tenant. Whether you're auditing, troubleshooting, or just curious, this cmdlet provides a reliable way to uncover role-based access across apps. Use it in combination with CSV export and service principal queries to build a complete access matrix for your environment.


Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                

                

                

                

                

            

        

    


 
            

        

    

    
    
    
    

        

            © m365corner.com. All Rights Reserved.
            Design by HTML Codex