Get appRoleAssignment

Namespace: microsoft.graph

Read the properties and relationships of an appRoleAssignment object.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

The following table shows the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Supported resource Delegated (work or school account) Delegated (personal Microsoft account) Application
group Group.Read.All Not supported. Group.Read.All
servicePrincipal Application.Read.All Not supported. Application.Read.All
user User.Read Not supported. Directory.Read.All

Important

In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. The following least privileged roles are supported for this operation:

  • Guest Inviter - Read app role assignments for users only
  • Directory Readers
  • Directory Synchronization Accounts - for Microsoft Entra Connect and Microsoft Entra Cloud Sync services
  • Directory Writer
  • Hybrid Identity Administrator
  • Identity Governance Administrator
  • Privileged Role Administrator
  • User Administrator
  • Application Administrator
  • Cloud Application Administrator

Other supported permissions

The following higher privileged permissions are supported by each resource:

  • Groups:
    • Delegated and application permissions: Directory.Read.All, AppRoleAssignment.ReadWrite.All, Directory.ReadWrite.All
  • Users:
    • Delegated permissions: User.ReadBasic.All, Directory.Read.All, AppRoleAssignment.ReadWrite.All
    • Application permissions: Directory.Read.All, AppRoleAssignment.ReadWrite.All
  • Service principals:
    • Delegated permissions: Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All
    • Application permissions: Application.ReadWrite.OwnedBy, Application.ReadWrite.All, Directory.ReadWrite.All

HTTP request

To get details of an appRole granted to a service principal:

GET /servicePrincipals/{client-serviceprincipal-id}/appRoleAssignments/{appRoleAssignment-id}
GET /servicePrincipals(appId='{client-servicePrincipal-appId}')/appRoleAssignments/{appRoleAssignment-id}

To get details of an appRole granted to a user, group, or client service principal for the given resource service principal:

GET /servicePrincipals(appId='{resource-servicePrincipal-appId}')/appRoleAssignedTo/{appRoleAssignment-id}
GET /servicePrincipals/{resource-serviceprincipal-id}/appRoleAssignedTo/{appRoleAssignment-id}

To get details of an appRole granted to a group:

GET /groups/{group-id}/appRoleAssignments/{appRoleAssignment-id}

To get details of an appRole granted to a user:

GET /users/{user-id}/appRoleAssignments/{appRoleAssignment-id}
GET /me/appRoleAssignments/{appRoleAssignment-id}

Optional query parameters

This method supports the $select OData query parameter to help customize the response. For general information, see OData query parameters.

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.

Request body

Don't supply a request body for this method.

Response

If successful, this method returns a 200 OK response code and an appRoleAssignment object in the response body.

Examples

Example 1: Get details of an app role granted to a user, group, or client service principal for the given resource service principal

Request

The following request queries the resource service principal to get details of an app role it has granted to a client that can be a user, group, or client service principal in the tenant.

GET https://graph.microsoft.com/v1.0/servicePrincipals(appId='00000003-0000-0000-c000-000000000000')/appRoleAssignedTo/ep6PKgGvOkGVksMuwOXBpxV3dkHvwM1ElSjMUzZtaIA

Response

The following example shows the response. It shows a client service principal named Postman has been granted an app role with the ID df021288-bdef-4463-88db-98f22de89214 which is the User.Read.All application permission, for the resource service principal named Microsoft Graph.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-Type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('00000003-0000-0000-c000-000000000000')/appRoleAssignedTo/$entity",
    "id": "ep6PKgGvOkGVksMuwOXBpxV3dkHvwM1ElSjMUzZtaIA",
    "deletedDateTime": null,
    "appRoleId": "df021288-bdef-4463-88db-98f22de89214",
    "createdDateTime": "2023-02-24T17:01:47.0988029Z",
    "principalDisplayName": "Postman",
    "principalId": "2a8f9e7a-af01-413a-9592-c32ec0e5c1a7",
    "principalType": "ServicePrincipal",
    "resourceDisplayName": "Microsoft Graph",
    "resourceId": "7408235b-7540-4850-82fe-a5f15ed019e2"
}

Example 2: Get details of an app role granted to a service principal

Request

The following request queries the client service principal to get details of an app role granted to it. In this instance, the app role represents the application permission.

GET https://graph.microsoft.com/v1.0/servicePrincipals(appId='ceb96a54-de95-49a0-b38c-c55263fcf421')/appRoleAssignments/ep6PKgGvOkGVksMuwOXBpxV3dkHvwM1ElSjMUzZtaIA

Response

The following example shows the response. It shows a client service principal named Postman has been granted an app role with the ID df021288-bdef-4463-88db-98f22de89214 which is the User.Read.All application permission, for the resource service principal named Microsoft Graph.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-Type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('ceb96a54-de95-49a0-b38c-c55263fcf421')/appRoleAssignments/$entity",
    "id": "ep6PKgGvOkGVksMuwOXBpxV3dkHvwM1ElSjMUzZtaIA",
    "deletedDateTime": null,
    "appRoleId": "df021288-bdef-4463-88db-98f22de89214",
    "createdDateTime": "2023-02-24T17:01:47.0988029Z",
    "principalDisplayName": "Postman",
    "principalId": "2a8f9e7a-af01-413a-9592-c32ec0e5c1a7",
    "principalType": "ServicePrincipal",
    "resourceDisplayName": "Microsoft Graph",
    "resourceId": "7408235b-7540-4850-82fe-a5f15ed019e2"
}

Example 3: Get details of an app role granted to the signed-in user

Request

The following request queries the signed-in user's appRoleAssignments.

GET https://graph.microsoft.com/v1.0/me/appRoleAssignments/Lo6gEKI-4EyAy9X91LBepo6Aq0Rt6QxBjWRl76txk8I

Response

The following example shows the response. It shows the signed-in user has the default app role for a resource service principal named Postman.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-Type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('10a08e2e-3ea2-4ce0-80cb-d5fdd4b05ea6')/appRoleAssignments/$entity",
    "id": "Lo6gEKI-4EyAy9X91LBepo6Aq0Rt6QxBjWRl76txk8I",
    "deletedDateTime": null,
    "appRoleId": "00000000-0000-0000-0000-000000000000",
    "createdDateTime": "2022-09-08T17:43:57.8423817Z",
    "principalDisplayName": "MOD Administrator",
    "principalId": "10a08e2e-3ea2-4ce0-80cb-d5fdd4b05ea6",
    "principalType": "User",
    "resourceDisplayName": "Postman",
    "resourceId": "2a8f9e7a-af01-413a-9592-c32ec0e5c1a7"
}