Share via

Is there a way to download a list of users assigned to an Enterprise app in Azure?

John Hirst 21 Reputation points
2020-06-08T13:10:13.543+00:00

They were added manually and I want to add them to a group so I can reuse for similar apps.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Answer accepted by question author
  1. AmanpreetSingh-MSFT 56,951 Reputation points Moderator
    2020-06-08T13:26:01.943+00:00

    Hi @John Hirst

    You can use below command to get object id of the service prinicpal:

    Get-AzureADServicePrincipal -SearchString display_name_of_the_app

    Use below cmdlet to get list of all users assigned to the application:

    Get-AzureADServiceAppRoleAssignment -ObjectId object_id_from_above_cmdlet

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Leon Laude 86,086 Reputation points
    2020-06-08T13:16:03.023+00:00

    Hi,

    Something here might help:
    https://stackoverflow.com/questions/39356317/get-azure-active-directory-application-users-and-roles 

    # Get all service principals, and for each one, get all the app role assignments, 
# resolving the app role ID to it's display name. Output everything to a CSV.
Get-AzureADServicePrincipal | % {

  # Build a hash table of the service principal's app roles. The 0-Guid is
  # used in an app role assignment to indicate that the principal is assigned
  # to the default app role (or rather, no app role).
  $appRoles = @{ "$([Guid]::Empty.ToString())" = "(default)" }
  $_.AppRoles | % { $appRoles[$_.Id] = $_.DisplayName }

  # Get the app role assignments for this app, and add a field for the app role name
  Get-AzureADServiceAppRoleAssignment -ObjectId ($_.ObjectId) | % {
    $_ | Add-Member "AppRoleDisplayName" $appRoles[$_.Id] -Passthru
  }
} | Export-Csv "app_role_assignments.csv" -NoTypeInformation

    Best regards,
    Leon

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.