Get-EntraServicePrincipalAppRoleAssignedTo
Gets app role assignments for this app or service, granted to users, groups and other service principals.
Syntax
Default (Default)
Get-EntraServicePrincipalAppRoleAssignedTo
-ServicePrincipalId <String>
[-Top <Int32>]
[-Property <String[]>]
[<CommonParameters>]
Description
The Get-EntraServicePrincipalAppRoleAssignedTo cmdlet gets app role assignments for this app or service, granted to users, groups and other service principals.
For delegated scenarios, the calling user needs at least one of the following Microsoft Entra roles.
- Directory Synchronization Accounts
- Directory Writer
- Hybrid Identity Administrator
- Identity Governance Administrator
- Privileged Role Administrator
- User Administrator
- Application Administrator
- Cloud Application Administrator
Examples
Example 1: Retrieve the app role assignments
Connect-Entra -Scopes 'Application.Read.All'
$servicePrincipal = Get-EntraServicePrincipal -Filter "displayName eq 'Helpdesk Application'"
Get-EntraServicePrincipalAppRoleAssignedTo -ServicePrincipalId $servicePrincipal.Id
This example shows how to get app role assignments for an app or service, granted to users, groups and other service principals.
The first command gets the ID of a service principal and stores it in the $ServicePrincipalId variable.
The second command gets the app role assignments for the service principal granted to users, groups and other service principals.
Example 2: Get all app role assignments
Connect-Entra -Scopes 'Application.Read.All'
$servicePrincipal = Get-EntraServicePrincipal -Filter "displayName eq 'Helpdesk Application'"
Get-EntraServicePrincipalAppRoleAssignedTo -ServicePrincipalId $servicePrincipal.Id -All
DeletedDateTime Id AppRoleId CreatedDateTime PrincipalDisplayName PrincipalId
--------------- -- --------- --------------- -------------------- -----------
1aaaaaa1-2bb2-3cc3-4dd4-5eeeeeeeeee5 00000000-0000-0000-0000-000000000000 20/10/2023 17:03:41 Entra-App-Testing aaaaaaaa-bbbb-cccc-1111-222222222222
2bbbbbb2-3cc3-4dd4-5ee5-6ffffffffff6 00000000-0000-0000-0000-000000000000 20/10/2023 17:03:38 Entra-App-Testing aaaaaaaa-bbbb-cccc-1111-222222222222
3cccccc3-4dd4-5ee5-6ff6-7aaaaaaaaaa7 00000000-0000-0000-0000-000000000000 20/10/2023 17:03:37 Entra-App-Testing aaaaaaaa-bbbb-cccc-1111-222222222222
4dddddd4-5ee5-6ff6-7aa7-8bbbbbbbbbb8 00000000-0000-0000-0000-000000000000 20/10/2023 17:03:39 Entra-App-Testing aaaaaaaa-bbbb-cccc-1111-222222222222
5eeeeee5-6ff6-7aa7-8bb8-9cccccccccc9 00000000-0000-0000-0000-000000000000 20/10/2023 17:03:39 Entra-App-Testing aaaaaaaa-bbbb-cccc-1111-222222222222
This command gets the all app role assignments for the service principal granted to users, groups and other service principals.
Example 3: Get five app role assignments
$servicePrincipal = Get-EntraServicePrincipal -Filter "displayName eq 'Helpdesk Application'"
Get-EntraServicePrincipalAppRoleAssignedTo -ServicePrincipalId $servicePrincipal.Id -Top 5
DeletedDateTime Id AppRoleId CreatedDateTime PrincipalDisplayName PrincipalId
--------------- -- --------- --------------- -------------------- -----------
1aaaaaa1-2bb2-3cc3-4dd4-5eeeeeeeeee5 00000000-0000-0000-0000-000000000000 20/10/2023 17:03:41 Entra-App-Testing aaaaaaaa-bbbb-cccc-1111-222222222222
2bbbbbb2-3cc3-4dd4-5ee5-6ffffffffff6 00000000-0000-0000-0000-000000000000 20/10/2023 17:03:38 Entra-App-Testing aaaaaaaa-bbbb-cccc-1111-222222222222
3cccccc3-4dd4-5ee5-6ff6-7aaaaaaaaaa7 00000000-0000-0000-0000-000000000000 20/10/2023 17:03:37 Entra-App-Testing aaaaaaaa-bbbb-cccc-1111-222222222222
4dddddd4-5ee5-6ff6-7aa7-8bbbbbbbbbb8 00000000-0000-0000-0000-000000000000 20/10/2023 17:03:39 Entra-App-Testing aaaaaaaa-bbbb-cccc-1111-222222222222
5eeeeee5-6ff6-7aa7-8bb8-9cccccccccc9 00000000-0000-0000-0000-000000000000 20/10/2023 17:03:39 Entra-App-Testing aaaaaaaa-bbbb-cccc-1111-222222222222
This command gets the five app role assignments for the service principal granted to users, groups and other service principals. You can use -Limit as an alias for -Top.
Parameters
-All
List all pages.
Parameter properties
| Type: | System.Management.Automation.SwitchParameter |
| Default value: | False |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Property
Specifies properties to be returned
Parameter properties
| Type: | System.String[] |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | Select |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-ServicePrincipalId
Specifies the ID of a service principal in Microsoft Entra ID.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | ObjectId |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-Top
Specifies the maximum number of records to return.
Parameter properties
| Type: | System.Int32 |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | Limit |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Inputs
System.String
System.Nullable`1[[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] System.Nullable`1[[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]
Outputs
System.Object
Notes
Get-EntraServiceAppRoleAssignedTo is an alias for Get-EntraServicePrincipalAppRoleAssignedTo.