List appRoleAssignments granted to a user

Article
03/02/2023

Namespace: microsoft.graph

Retrieve the list of appRoleAssignment that a user has been granted. This operation also returns app roles assigned to groups that the user is a direct member of.

Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type	Permissions (from least to most privileged)
Delegated (work or school account)	User.ReadBasic.All, Directory.Read.All, AppRoleAssignment.ReadWrite.All
Delegated (personal Microsoft account)	Not supported.
Application	Directory.Read.All, AppRoleAssignment.ReadWrite.All

HTTP request

GET /users/{id | userPrincipalName}/appRoleAssignments

Optional query parameters

This method supports the OData query parameters to help customize the response.

Request headers

Name	Description
Authorization	Bearer {token}. Required.

Request body

Do not supply a request body for this method.

Response

If successful, this method returns a 200 OK response code and a collection of appRoleAssignment objects in the response body.

Examples

Example 1: List appRoleAssignments granted to a user

Request

Here is an example of the request to retrieve the app roles that have been assigned to a user.

GET https://graph.microsoft.com/v1.0/users/6e7b768e-07e2-4810-8459-485f84f8f204/appRoleAssignments


// Code snippets are only available for the latest version. Current version is 5.x

var graphClient = new GraphServiceClient(requestAdapter);

var result = await graphClient.Users["{user-id}"].AppRoleAssignments.GetAsync();


const options = {
	authProvider,
};

const client = Client.init(options);

let appRoleAssignments = await client.api('/users/6e7b768e-07e2-4810-8459-485f84f8f204/appRoleAssignments')
	.get();


GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();

AppRoleAssignmentCollectionPage appRoleAssignments = graphClient.users("6e7b768e-07e2-4810-8459-485f84f8f204").appRoleAssignments()
	.buildRequest()
	.get();



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  //other-imports
)

graphClient, err := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)



result, err := graphClient.Users().ByUserId("user-id").AppRoleAssignments().Get(context.Background(), nil)


Import-Module Microsoft.Graph.Applications

Get-MgUserAppRoleAssignment -UserId $userId


<?php

// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);


$result = $graphServiceClient->users()->byUserId('user-id')->appRoleAssignments()->get();


// THE PYTHON SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
client =  GraphServiceClient(request_adapter)



result = await client.users.by_user_id('user-id').app_role_assignments.get()

Response

The following is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json

{
  "value": [
    {
      "id": "41W1zT6z1U-kJxf62svfp1HFE8pMZhxDun-ThPczmJE",
      "deletedDateTime": null,
      "appRoleId": "00000000-0000-0000-0000-000000000000",
      "createdDateTime": "2021-02-02T04:22:45.9480566Z",
      "principalDisplayName": "Alex Wilber",
      "principalId": "cdb555e3-b33e-4fd5-a427-17fadacbdfa7",
      "principalType": "User",
      "resourceDisplayName": "dxprovisioning-graphapi-client",
      "resourceId": "8e881353-1735-45af-af21-ee1344582a4d"
    }
  ]
}

Example 2: List appRoleAssignments granted to a user, filtered by resourceId

Request

Here is an example of the request to retrieve the app roles that have been assigned to a user, filtering by a resourceId, which is a GUID type.

GET https://graph.microsoft.com/v1.0/users/cdb555e3-b33e-4fd5-a427-17fadacbdfa7/appRoleAssignments?$filter=resourceId eq 8e881353-1735-45af-af21-ee1344582a4d


// Code snippets are only available for the latest version. Current version is 5.x

var graphClient = new GraphServiceClient(requestAdapter);

var result = await graphClient.Users["{user-id}"].AppRoleAssignments.GetAsync((requestConfiguration) =>
{
	requestConfiguration.QueryParameters.Filter = "resourceId eq 8e881353-1735-45af-af21-ee1344582a4d";
});


const options = {
	authProvider,
};

const client = Client.init(options);

let appRoleAssignments = await client.api('/users/cdb555e3-b33e-4fd5-a427-17fadacbdfa7/appRoleAssignments')
	.filter('resourceId eq 8e881353-1735-45af-af21-ee1344582a4d')
	.get();


GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();

AppRoleAssignmentCollectionPage appRoleAssignments = graphClient.users("cdb555e3-b33e-4fd5-a427-17fadacbdfa7").appRoleAssignments()
	.buildRequest()
	.filter("resourceId eq 8e881353-1735-45af-af21-ee1344582a4d")
	.get();



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphusers "github.com/microsoftgraph/msgraph-sdk-go/users"
	  //other-imports
)

graphClient, err := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)



requestFilter := "resourceId eq 8e881353-1735-45af-af21-ee1344582a4d"

requestParameters := &graphusers.UserItemAppRoleAssignmentsRequestBuilderGetQueryParameters{
	Filter: &requestFilter,
}
configuration := &graphusers.UserItemAppRoleAssignmentsRequestBuilderGetRequestConfiguration{
	QueryParameters: requestParameters,
}

result, err := graphClient.Users().ByUserId("user-id").AppRoleAssignments().Get(context.Background(), configuration)


Import-Module Microsoft.Graph.Applications

Get-MgUserAppRoleAssignment -UserId $userId -Filter "resourceId eq 8e881353-1735-45af-af21-ee1344582a4d"


<?php

// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);

$requestConfiguration = new AppRoleAssignmentsRequestBuilderGetRequestConfiguration();
$queryParameters = AppRoleAssignmentsRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "resourceId eq 8e881353-1735-45af-af21-ee1344582a4d";
$requestConfiguration->queryParameters = $queryParameters;


$result = $graphServiceClient->users()->byUserId('user-id')->appRoleAssignments()->get($requestConfiguration);


// THE PYTHON SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
client =  GraphServiceClient(request_adapter)

query_params = AppRoleAssignmentsRequestBuilder.AppRoleAssignmentsRequestBuilderGetQueryParameters(
		filter = "resourceId eq 8e881353-1735-45af-af21-ee1344582a4d",
)

request_configuration = AppRoleAssignmentsRequestBuilder.AppRoleAssignmentsRequestBuilderGetRequestConfiguration(
query_parameters = query_params,
)


result = await client.users.by_user_id('user-id').app_role_assignments.get(request_configuration = request_configuration)

Response

The following is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#appRoleAssignments",
  "value": [
    {
      "id": "41W1zT6z1U-kJxf62svfp1HFE8pMZhxDun-ThPczmJE",
      "createdDateTime": "2021-02-02T04:22:45.9480566Z",
      "appRoleId": "00000000-0000-0000-0000-000000000000",
      "principalDisplayName": "MOD Administrator",
      "principalId": "cdb555e3-b33e-4fd5-a427-17fadacbdfa7",
      "principalType": "User",
      "resourceDisplayName": "dxprovisioning-graphapi-client",
      "resourceId": "8e881353-1735-45af-af21-ee1344582a4d"
    }
  ]
}

List appRoleAssignments granted to a user

Permissions

HTTP request

Optional query parameters

Request headers

Request body

Response

Examples

Example 1: List appRoleAssignments granted to a user

Request

Response

Example 2: List appRoleAssignments granted to a user, filtered by resourceId

Request

Response

Feedback

Additional resources

Additional resources