title | description | author | ms.localizationpriority | ms.subservice | doc_type |
---|---|---|---|---|---|
Get appRoleAssignment |
Read the properties and relationships of an appRoleAssignment object. |
psignoret |
medium |
entra-applications |
apiPageType |
Namespace: microsoft.graph
Read the properties and relationships of an appRoleAssignment object.
[!INCLUDE national-cloud-support]
The following table shows the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
Supported resource | Delegated (work or school account) | Delegated (personal Microsoft account) | Application |
---|---|---|---|
group | Group.Read.All | Not supported. | Group.Read.All |
servicePrincipal | Application.Read.All | Not supported. | Application.Read.All |
user | User.Read | Not supported. | Directory.Read.All |
[!INCLUDE rbac-approleassignments-apis-read]
To get details of an appRole granted to a service principal:
GET /servicePrincipals/{client-serviceprincipal-id}/appRoleAssignments/{appRoleAssignment-id}
GET /servicePrincipals(appId='{client-servicePrincipal-appId}')/appRoleAssignments/{appRoleAssignment-id}
To get details of an appRole granted to a user, group, or client service principal for the given resource service principal:
GET /servicePrincipals(appId='{resource-servicePrincipal-appId}')/appRoleAssignedTo/{appRoleAssignment-id}
GET /servicePrincipals/{resource-serviceprincipal-id}/appRoleAssignedTo/{appRoleAssignment-id}
To get details of an appRole granted to a group:
GET /groups/{group-id}/appRoleAssignments/{appRoleAssignment-id}
To get details of an appRole granted to a user:
GET /users/{user-id}/appRoleAssignments/{appRoleAssignment-id}
GET /me/appRoleAssignments/{appRoleAssignment-id}
This method supports the $select
OData query parameter to help customize the response. For general information, see OData query parameters.
Name | Description |
---|---|
Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
Don't supply a request body for this method.
If successful, this method returns a 200 OK
response code and an appRoleAssignment object in the response body.
Example 1: Get details of an app role granted to a user, group, or client service principal for the given resource service principal
The following request queries the resource service principal to get details of an app role it has granted to a client that can be a user, group, or client service principal in the tenant.
GET https://graph.microsoft.com/v1.0/servicePrincipals(appId='00000003-0000-0000-c000-000000000000')/appRoleAssignedTo/ep6PKgGvOkGVksMuwOXBpxV3dkHvwM1ElSjMUzZtaIA
The following example shows the response. It shows a client service principal named Postman has been granted an app role with the ID df021288-bdef-4463-88db-98f22de89214 which is the User.Read.All application permission, for the resource service principal named Microsoft Graph.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('00000003-0000-0000-c000-000000000000')/appRoleAssignedTo/$entity",
"id": "ep6PKgGvOkGVksMuwOXBpxV3dkHvwM1ElSjMUzZtaIA",
"deletedDateTime": null,
"appRoleId": "df021288-bdef-4463-88db-98f22de89214",
"createdDateTime": "2023-02-24T17:01:47.0988029Z",
"principalDisplayName": "Postman",
"principalId": "2a8f9e7a-af01-413a-9592-c32ec0e5c1a7",
"principalType": "ServicePrincipal",
"resourceDisplayName": "Microsoft Graph",
"resourceId": "7408235b-7540-4850-82fe-a5f15ed019e2"
}
The following request queries the client service principal to get details of an app role granted to it. In this instance, the app role represents the application permission.
GET https://graph.microsoft.com/v1.0/servicePrincipals(appId='ceb96a54-de95-49a0-b38c-c55263fcf421')/appRoleAssignments/ep6PKgGvOkGVksMuwOXBpxV3dkHvwM1ElSjMUzZtaIA
The following example shows the response. It shows a client service principal named Postman has been granted an app role with the ID df021288-bdef-4463-88db-98f22de89214 which is the User.Read.All application permission, for the resource service principal named Microsoft Graph.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('ceb96a54-de95-49a0-b38c-c55263fcf421')/appRoleAssignments/$entity",
"id": "ep6PKgGvOkGVksMuwOXBpxV3dkHvwM1ElSjMUzZtaIA",
"deletedDateTime": null,
"appRoleId": "df021288-bdef-4463-88db-98f22de89214",
"createdDateTime": "2023-02-24T17:01:47.0988029Z",
"principalDisplayName": "Postman",
"principalId": "2a8f9e7a-af01-413a-9592-c32ec0e5c1a7",
"principalType": "ServicePrincipal",
"resourceDisplayName": "Microsoft Graph",
"resourceId": "7408235b-7540-4850-82fe-a5f15ed019e2"
}
The following request queries the signed-in user's appRoleAssignments.
GET https://graph.microsoft.com/v1.0/me/appRoleAssignments/Lo6gEKI-4EyAy9X91LBepo6Aq0Rt6QxBjWRl76txk8I
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response. It shows the signed-in user has the default app role for a resource service principal named Postman.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('10a08e2e-3ea2-4ce0-80cb-d5fdd4b05ea6')/appRoleAssignments/$entity",
"id": "Lo6gEKI-4EyAy9X91LBepo6Aq0Rt6QxBjWRl76txk8I",
"deletedDateTime": null,
"appRoleId": "00000000-0000-0000-0000-000000000000",
"createdDateTime": "2022-09-08T17:43:57.8423817Z",
"principalDisplayName": "MOD Administrator",
"principalId": "10a08e2e-3ea2-4ce0-80cb-d5fdd4b05ea6",
"principalType": "User",
"resourceDisplayName": "Postman",
"resourceId": "2a8f9e7a-af01-413a-9592-c32ec0e5c1a7"
}