Retrieve application permissions of a service principal using the AzureAD module

Question

Using the AzureAD module, I can retrieve all delegated permissions for a service principal using the Get-AzureADServicePrincipalOAuth2PermissionGrant cmdlet. However, I can't find a similar cmdlet to retrieve the application permissions for a service principal in this module.

Does the AzureAD module provide a way to retrieve application permissions for a service principal?

Answer 1

Application permission assignments are represented as appRoleAssignments in the directory. Literally assigning a role to the app's service principal.

With the V2 module:

There are two ways to approach getting the roles.

What permissions have been assigned to principal A?

Get-AzureADServiceAppRoleAssignedTo -ObjectId eea0d6cd-20e2-4b81-97ca-5b0cbffac985 | fl

Here I am getting what app permissions have been assigned to this principal.

Who has permissions on principal A?

Get-AzureADServiceAppRoleAssignment -ObjectId f004dde9-b40f-4259-91be-e257009a444a | fl

Here the object id is for Microsoft Graph. It lists out all principals who have been assigned any app permissions on it.

Either way you still get a list of AppRoleAssignments.

• Id = Id of the AppRole that was assigned
• PrincipalId = ObjectId of the service principal the permission was assigned to
• ResourceId = ObjectId of the service principal providing the permission

You will need to join the assignments with the right roles yourself. You can print out the app roles e.g. MS Graph offers quite easily:

$msGraph = Get-AzureADServicePrincipal -ObjectId f004dde9-b40f-4259-91be-e257009a444a
$msGraph.AppRoles | fl

Example:

AllowedMemberTypes : {Application}
Description        : (Preview) Allows the app to read all files in all site collections without a signed in user.
DisplayName        : Read files in all site collections (preview)
Id                 : 01d4889c-1287-42c6-ac1f-5d1e02578ef6
IsEnabled          : True
Value              : Files.Read.All