Would this work?
https://learn.microsoft.com/en-us/powershell/azure/active-directory/list-service-principal-application-roles?view=azureadps-2.0
Where to see a list of Azure AD roles that a serivice princple have?
Per my stack overflow ticket: https://stackoverflow.com/questions/71519494/where-to-see-a-list-of-azure-ad-roles-that-a-serivice-princple-have
Where to see a list of Azure AD roles that a serivice princple has?
3 answers
Sort by: Most helpful
-
-
JamesTran-MSFT 36,811 Reputation points Microsoft Employee
2022-04-07T22:36:23.127+00:00 @Henry Zhang
Thank you for following up on this and I apologize for the delayed response!When it comes to getting a list of Azure AD roles assigned to a Service Principal, you should be able to do this using the List unifiedRoleAssignments API within Graph Explorer.
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=principalId eq 'ServicePrincipalObjectID'
For more info:
List Azure AD role assignments
Use Graph Explorer to try Microsoft Graph APIsIf you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
-
Kenny Kawahara 41 Reputation points
2023-02-02T18:16:12.1833333+00:00 Been searching for an answer to the same question as the original post. I have tried a few methods, including what you proposed with the graph api however I do not get expected results.
I have a MS-managed managed identity to which I have assigned the Key Vault Secret User role. If I run the following command from cli:
az role assignment list --scope /subscriptions/<subscription id>/resourceGroups/<rg name>/providers/Microsoft.KeyVault/vaults/<kv name> --assignee <managed-id id>
then I get an expected result of the role assignment at the specified scope. However, as with the original post, I am actually interested in getting ALL roles assigned to the managed-id id. So instead I would like to run:
az role assignment list --assignee <managed-id id> --all
However, I get the error:
group or scope are not required when --all is used
Testing the method you mention with the graph api:
https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=principalId eq '<managed-id id>'
returns an empty result.
Any ideas? I get the sense that the azurecli command is close, but I can't for the life of me understand why I get the error regarding group/scope.