Where to see a list of Azure AD roles that a serivice princple have?

Henry Zhang 1 Reputation point
2022-03-17T22:29:39.28+00:00

Per my stack overflow ticket: https://stackoverflow.com/questions/71519494/where-to-see-a-list-of-azure-ad-roles-that-a-serivice-princple-have
Where to see a list of Azure AD roles that a serivice princple has?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,232 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Andy David - MVP 152.3K Reputation points MVP
    2022-03-17T22:41:04.457+00:00
    2 people found this answer helpful.

  2. JamesTran-MSFT 36,811 Reputation points Microsoft Employee
    2022-04-07T22:36:23.127+00:00

    @Henry Zhang
    Thank you for following up on this and I apologize for the delayed response!

    When it comes to getting a list of Azure AD roles assigned to a Service Principal, you should be able to do this using the List unifiedRoleAssignments API within Graph Explorer.

    GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=principalId eq 'ServicePrincipalObjectID'  
    

    191132-image.png

    For more info:
    List Azure AD role assignments
    Use Graph Explorer to try Microsoft Graph APIs

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


  3. Kenny Kawahara 41 Reputation points
    2023-02-02T18:16:12.1833333+00:00

    @JamesTran-MSFT

    Been searching for an answer to the same question as the original post. I have tried a few methods, including what you proposed with the graph api however I do not get expected results.

    I have a MS-managed managed identity to which I have assigned the Key Vault Secret User role. If I run the following command from cli:

    az role assignment list --scope /subscriptions/<subscription id>/resourceGroups/<rg name>/providers/Microsoft.KeyVault/vaults/<kv name> --assignee <managed-id id>
    

    then I get an expected result of the role assignment at the specified scope. However, as with the original post, I am actually interested in getting ALL roles assigned to the managed-id id. So instead I would like to run:

    az role assignment list --assignee <managed-id id> --all
    

    However, I get the error:

    group or scope are not required when --all is used

    Testing the method you mention with the graph api:

    https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=principalId eq '<managed-id id>'  
    

    returns an empty result.

    Any ideas? I get the sense that the azurecli command is close, but I can't for the life of me understand why I get the error regarding group/scope.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.