Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,607 questions
Inconsistent behavior when getting app role assignments for a Service Principal using Graph API/SDK/Portal
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Gaurav Mantri
6
Reputation points
I am trying to get the app role assignments for a Service Principal in my Azure AD and seeing inconsistent behavior.
Background
I created an application in my Azure AD and defined some app roles for the same. The application is a single-tenant application. A Service Principal (SP) was created for this application.
I then assigned an app role to some of the users and a group for that SP. This all worked very well.
When I go check the properties of the users and the group for app role assignments, I can see there that proper app role assignments are returned.
Inconsistency #1
When I go to "Users and groups" under my SP in Azure Portal, it only lists the users that are assigned app roles. It does not list the group that has been assigned an app role.
I see same behavior when I invoke the Graph API directly. The API I am calling is List appRoleAssignments granted for a service principal. Only users are returned and not the group. The URL I am calling here is https://graph.microsoft.com/v1.0/servicePrincipals/<service-principal-id>/appRoleAssignedTo.
I also see the same behavior when I use Microsoft.Graph .Net SDK (version 4.41.0). Here's the relevant snippet of my code:
var authProvider = new TokenCredentialAuthProvider(new DefaultAzureCredential());
var graphServiceClient = new GraphServiceClient("https://graph.microsoft.com/v1.0", authProvider)
var request = graphServiceClient.ServicePrincipals["my-service-principal-id"].AppRoleAssignedTo.Request();
var response = await request.GetAsync();//response only contains users
Inconsistency #2
Then I tried the answer provided https://stackoverflow.com/questions/67683609/how-to-get-approleassignedto-for-microsoft-azure-applications and called the Get servicePrincipal with $expand=appRoleAssignedTo query parameter. The URL I am calling here is https://graph.microsoft.com/v1.0/servicePrincipals/<service-principal-id>?$expand=appRoleAssignedTo
I am able to get the SP details and I also see appRoleAssignedTo attribute in the response however this time I only see the group in the response and not the users.
I am wondering why I am seeing this inconsistent behavior and what I can do to get proper app role assignments for a SP.
To Summarize:
- List appRoleAssignments granted for a service principal API only returns users and not groups.
- Get servicePrincipal API with $expand=appRoleAssignedTo only returns the group and not the users.