How to return Graph API permission 'Name' attribute when you only have the ID?

Johnathan Welker 86 Reputation points
2023-08-08T18:17:22.19+00:00

Hello,

When I leverage the Get-MgServicePrincipalAppRoleAssignment command, I am returned a list of 'AppRoleId's without any indication of a readable 'Name'. Sample below:User's image

I'm looking for any way to correlate these IDs with their names programmatically. For example, referencing the Permissions Reference site, I can see they correlate to Group.Read.All and AuditLog.Read.All, both of the 'Application' type since that's what the above command returns.

Is there anyway to make another call and correlate the IDs with the names? I saw one script on Github that copy and pasted the entire permission name and ID table and does a lookup. That seems a little wild, but I get why they did it. I can't find anything that allows that currently either.

Any help is appreciated, thank you.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,773 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,444 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,265 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 103.4K Reputation points MVP
    2023-08-09T07:58:20.92+00:00

    To get those values, you need to get the definition out of the corresponding service principal object. The AppRoles property will list any application permissions, whereas the publishedPermissionScopes one will list delegate permissions. You then filter the corresponding entry based on its id.

    For example, if you have an app leveraging the Graph API, you need to find the corresponding service principal (the one with appID matching the resourceID value, in this case 00000003-0000-0000-c000-000000000000) and expand its definition to get the properties above. Then, for any specific AppRoleId as listed above, you match it against the set of roles/scopes.

    I have a sample script that reports on apps that uses this method, take a look and "borrow" the code as you see fit: https://www.michev.info/blog/post/3665/azure-ad-application-registration-inventory-script


1 additional answer

Sort by: Most helpful
  1. Limitless Technology 44,206 Reputation points
    2023-08-09T08:16:18.1533333+00:00

    Hello Johnathan,

    Thank you for your question and for reaching out with your question today.

    It seems like you're trying to retrieve the readable 'Name' attribute for Graph API permissions using PowerShell and the Get-MgServicePrincipalAppRoleAssignment command. The information you want, such as permission names, might not be directly retrievable using this specific command alone.

    To map the IDs to permission names programmatically, you have a few options:

    1. Use the Permissions Reference Site: As you've mentioned, you can manually cross-reference the IDs with their names using the Permissions Reference site provided by Microsoft. This might involve copying and pasting the necessary information into your script, but it's a reliable method.
    2. Query Microsoft Graph API: You can use Microsoft Graph API to retrieve information about application permissions. By using the /servicePrincipals/{id} endpoint, you might be able to get more details about the permissions associated with the ID, including their names. This might require additional scripting and handling authentication to query the Graph API.
    3. Leverage Cached Data: If you find that permission names are relatively static and don't change frequently, you could create a local lookup table or cache the permission names to avoid frequent lookups to the Permissions Reference site.
    4. Graph SDK: If you're open to using the Microsoft Graph SDK in PowerShell, you might be able to use the SDK's features to retrieve more comprehensive information about permissions.

    Remember that interacting with Microsoft Graph API often requires proper authentication and handling of tokens. If you're not able to retrieve the permission names directly from the Get-MgServicePrincipalAppRoleAssignment command, you might need to combine it with other approaches to achieve your goal.

    I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

    If the reply was helpful, please don’t forget to upvote or accept as answer.

    Best regards.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.