servicePrincipals?$expand=appRoleAssignedTo incomplete result

Question

For an inventory script, I use servicePrincipals?$expand=appRoleAssignedTo to get all serviceprinciples including "approleassignedTo" info.

To make an inventory of the approle assignments, I loop through all apps (~2250) and for each app, I loop through approles, and foreach approle I loop through appRoleAssignedTo data.

In my environment this results in ~3000 approle assignments.

When I analyze the result, I estimate 5% of all role assignments are missing.
I do see all roles, but not all roleassignments. When I look the assignments up in the Entra portal I do see them.
The missing role assignment aren't special, they are assigned to normal Entra ID groups like other assigned approles.

When I rerun the script, the same assignments are missing each time.

When I don't use $expand query parameter, but query the data directly using 'servicePrincipals/{id}/appRoleAssignedTo', I do get all assignments.

Did I run into a bug?

Answer 1

As noted in https://developer.microsoft.com/en-us/graph/known-issues/?search=13635:

The following limitations apply to query parameters:

• $expand on relationships of directory objects:
  • Returns a maximum of 20 objects except for /users?$expand=registeredDevices which returns up to 100 objects.
  • No support for @odata.nextLink.
  • No support for more than one level of expand.
  • No support for nesting other query parameters such as $filter and $select inside an $expand query.

Hence the proper way is to run individual requests instead of relying on $expand.