Reputation: 5496
Azure AD Graph API - App Role Assignments List
There is no documentation around how the Application Role Assignments list that is generated from this AAD Graph API call is determined:
https://graph.windows.net/contoso.com/users/[email protected]/appRoleAssignments
For instance, if the user has Office 365, no assigned Office 365 Apps appear in the Graph API response, yet if this user browses to https://myapps.microsoft.com/contoso.com they see them listed.
Can someone clarify the logic used to build the Apps returned in this list and if it is possible to retrieve all the applications assigned to the user?
Upvotes: 1
Views: 1852
Answers (1)
Reputation: 58723
The user's appRoleAssignments navigation property should contain all of the roles that the user has been assigned on apps. In case an app does not declare any appRoles that can be assigned to users, there will still be one entity here with an all-zeros GUID.
For example, I've assigned one of my test users to an app that has no roles, and Get-AzureADUserAppRoleAssignment -ObjectId user-object-id returns:
DeletionTimestamp :
ObjectId : 1YoOkUy2bESZDaQwZRhU0S-UYlhvd3FJsJikOAWHrsI
ObjectType : AppRoleAssignment
CreationTimestamp : 17.1.2016 15.40.03
Id : 00000000-0000-0000-0000-000000000000
PrincipalDisplayName : Test User
PrincipalId : 910e8ad5-b64c-446c-990d-a430651854d1
PrincipalType : User
ResourceDisplayName : TodoService
ResourceId : 6b5b5ad6-54ce-415f-ad04-0a276ce086b0
And also one for an app that does specify roles:
DeletionTimestamp :
ObjectId : 1YoOkUy2bESZDaQwZRhU0YAvk4B2fQdPqcTGnjNiP_0
ObjectType : AppRoleAssignment
CreationTimestamp :
Id : 06608f41-55fb-400a-8da2-3d51909a0449
PrincipalDisplayName : Test User
PrincipalId : 910e8ad5-b64c-446c-990d-a430651854d1
PrincipalType : User
ResourceDisplayName : TestApp
ResourceId : ecf84db8-3333-43d0-809a-aaef620a14bf
Note the Id property specifies the id of the role that the user has on that app. In the case of the first one, they just have general access.
As for why Office 365 apps don't show up there, if I recall correctly you do not assign them the same way through the Azure AD user management? The app assignments may be an internal thing in O365 and Azure AD does not know about it. License assignments can be found from the licenseDetails navigation property of the user (or Get-AzureADUserLicenseDetail with Azure AD v2 PowerShell).
Upvotes: 1
Related Questions
- Get App Roles for user limited to the requesting app
- Retrieve Roles and Users per Application in Microsoft Graph
- Retrieve User Details and Roles for an Azure AD application using Microsoft Graph API
- Azure Ad/Microsoft Graph get all users with specific approle
- api to get list of users assigned to a particular custom role in Azure AD
- How to list all appRoleAssignments in Microsoft Graph API or Azure AD Graph API
- How to get AppRole for azure active directory user using Microsoft Graph API
- Get Azure Active Directory application users and roles
- How to assign user an application role in azure active directory using graph api 1.5?
- Azure AD Graph API: Is it possible to enumerate all groups associated with an application role?