Reputation: 428
Retrieve User Details and Roles for an Azure AD application using Microsoft Graph API
I'm attempting to get user details for a particular enterprise application in Azure AD, using the Microsoft Graph API.
I'm able to successfully retrieve users of the application using:
https://graph.microsoft.com/v1.0/servicePrincipals/{objectId}/appRoleAssignedTo
However, the users details are left out; such as, contact details, email. It also has a duplicate entry for each role assigned to a user.
I'm able to get these user details if I query:
https://graph.microsoft.com/v1.0/users
However, this retrieves all users in the organization, and I've not been successful with filtering the list in the query for a given application.
Using the $expand operator does not seem implemented either.
Seems like this would be a common use case for an application; Who are my users and what are their roles and details? How would one best approach this with the Graph API?
Upvotes: 0
Views: 3471
Answers (1)
Reputation: 3575
Individually,
You can get the appRoles of an Azure AD application using the below query.
https://graph.microsoft.com/v1.0/serviceprincipals/07fce81e-8069-4ccb-9775-63f96d1f4e53
and check the appRoles property.
And you can get the user details using the below query.
https://graph.microsoft.com/v1.0/users/4ef105cc-508b-41c4-a5d2-7d41f2244c4c
And you can get the group details using the below query.
https://graph.microsoft.com/v1.0/groups/0023c709-3556-4296-a6ab-6df2a0a1113c
In your case you need to call the same call that you specified
https://graph.microsoft.com/v1.0/servicePrincipals/07fce81e-8069-4ccb-9775-63f96d1f4e53/appRoleAssignedTo
This will return all the users and groups assigned app roles and you can pull the principal id from these app role assignment objects as shown below which are nothing but the userid of the user that the role was assigned to and in the groups case its the group id of the group which gives the group details.
You can differentiate user and group by principaltype and according to that you can call the above http calls(User or group) and get those details.
The duplicate ones need to be coded on our end to avoid it.
My Example JSON Data:-
For getting users and groups assigned app roles
GET https://graph.microsoft.com/v1.0/servicePrincipals/07fce81e-8069-4ccb-9775-63f96d1f4e53/appRoleAssignedTo
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('07fce81e-8069-4ccb-9775-63f96d1f4e53')/appRoleAssignedTo",
"value": [
{
"id": "zAXxTotQxEGl0n1B8iRMTPwz3O48iw9Oq3aFtqfYVjA",
"deletedDateTime": null,
"appRoleId": "00000000-0000-0000-0000-000000000000",
"createdDateTime": "2020-06-01T19:21:01.4268687Z",
"principalDisplayName": "Nishant Singh",
"principalId": "4ef105cc-508b-41c4-a5d2-7d41f2244c4c",
"principalType": "User",
"resourceDisplayName": "testspaquestion",
"resourceId": "07fce81e-8069-4ccb-9775-63f96d1f4e53"
},
{
"id": "Y3tbwNOvDkqKK9yLxJ5wp2-uBAbApk9LoMs6AN_7iSs",
"deletedDateTime": null,
"appRoleId": "00000000-0000-0000-0000-000000000000",
"createdDateTime": "2020-06-01T18:47:47.2702435Z",
"principalDisplayName": "Sruthi J",
"principalId": "c05b7b63-afd3-4a0e-8a2b-dc8bc49e70a7",
"principalType": "User",
"resourceDisplayName": "testspaquestion",
"resourceId": "07fce81e-8069-4ccb-9775-63f96d1f4e53"
},
{
"id": "CccjAFY1lkKmq23yoKERPBqNLldhOdBAm0lJzewK0Nk",
"deletedDateTime": null,
"appRoleId": "00000000-0000-0000-0000-000000000000",
"createdDateTime": "2020-07-23T17:34:53.9538274Z",
"principalDisplayName": "Bgroup",
"principalId": "0023c709-3556-4296-a6ab-6df2a0a1113c",
"principalType": "Group",
"resourceDisplayName": "testspaquestion",
"resourceId": "07fce81e-8069-4ccb-9775-63f96d1f4e53"
}
]
}
After querying the above, pull the principalid of each record and accordingly call user endpoint or group endpoint according to principaltype.
Get https://graph.microsoft.com/v1.0/users/4ef105cc-508b-41c4-a5d2-7d41f2244c4c //principalId
Let me know if you have any queries.
Upvotes: 1
Related Questions
- Retrieve Roles and Users per Application in Microsoft Graph
- Is there way to retrieve appRoleName using Graph API call?
- Azure Ad/Microsoft Graph get all users with specific approle
- api to get list of users assigned to a particular custom role in Azure AD
- Getting azure ad users list for specific application with graph api
- Fetching user information from Azure AD
- Programatically get users group and role from Azure AD
- Azure AD Graph API - App Role Assignments List
- How to get AppRole for azure active directory user using Microsoft Graph API
- Get Azure Active Directory application users and roles