Skip to content

Latest commit

 

History

History
287 lines (238 loc) · 12.3 KB

approleassignment-get.md

File metadata and controls

287 lines (238 loc) · 12.3 KB
Raw
title description author ms.localizationpriority ms.subservice doc_type
Get appRoleAssignment
Read the properties and relationships of an appRoleAssignment object.
psignoret
medium
entra-applications
apiPageType

Get appRoleAssignment

Namespace: microsoft.graph

Read the properties and relationships of an appRoleAssignment object.

[!INCLUDE national-cloud-support]

Permissions

The following table shows the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Supported resource Delegated (work or school account) Delegated (personal Microsoft account) Application
group Group.Read.All Not supported. Group.Read.All
servicePrincipal Application.Read.All Not supported. Application.Read.All
user User.Read Not supported. Directory.Read.All

[!INCLUDE rbac-approleassignments-apis-read]

HTTP request

To get details of an appRole granted to a service principal:

GET /servicePrincipals/{client-serviceprincipal-id}/appRoleAssignments/{appRoleAssignment-id}
GET /servicePrincipals(appId='{client-servicePrincipal-appId}')/appRoleAssignments/{appRoleAssignment-id}

To get details of an appRole granted to a user, group, or client service principal for the given resource service principal:

GET /servicePrincipals(appId='{resource-servicePrincipal-appId}')/appRoleAssignedTo/{appRoleAssignment-id}
GET /servicePrincipals/{resource-serviceprincipal-id}/appRoleAssignedTo/{appRoleAssignment-id}

To get details of an appRole granted to a group:

GET /groups/{group-id}/appRoleAssignments/{appRoleAssignment-id}

To get details of an appRole granted to a user:

GET /users/{user-id}/appRoleAssignments/{appRoleAssignment-id}
GET /me/appRoleAssignments/{appRoleAssignment-id}

Optional query parameters

This method supports the $select OData query parameter to help customize the response. For general information, see OData query parameters.

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.

Request body

Don't supply a request body for this method.

Response

If successful, this method returns a 200 OK response code and an appRoleAssignment object in the response body.

Examples

Example 1: Get details of an app role granted to a user, group, or client service principal for the given resource service principal

Request

The following request queries the resource service principal to get details of an app role it has granted to a client that can be a user, group, or client service principal in the tenant.

GET https://graph.microsoft.com/v1.0/servicePrincipals(appId='00000003-0000-0000-c000-000000000000')/appRoleAssignedTo/ep6PKgGvOkGVksMuwOXBpxV3dkHvwM1ElSjMUzZtaIA

Response

The following example shows the response. It shows a client service principal named Postman has been granted an app role with the ID df021288-bdef-4463-88db-98f22de89214 which is the User.Read.All application permission, for the resource service principal named Microsoft Graph.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-Type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('00000003-0000-0000-c000-000000000000')/appRoleAssignedTo/$entity",
    "id": "ep6PKgGvOkGVksMuwOXBpxV3dkHvwM1ElSjMUzZtaIA",
    "deletedDateTime": null,
    "appRoleId": "df021288-bdef-4463-88db-98f22de89214",
    "createdDateTime": "2023-02-24T17:01:47.0988029Z",
    "principalDisplayName": "Postman",
    "principalId": "2a8f9e7a-af01-413a-9592-c32ec0e5c1a7",
    "principalType": "ServicePrincipal",
    "resourceDisplayName": "Microsoft Graph",
    "resourceId": "7408235b-7540-4850-82fe-a5f15ed019e2"
}

Example 2: Get details of an app role granted to a service principal

Request

The following request queries the client service principal to get details of an app role granted to it. In this instance, the app role represents the application permission.

GET https://graph.microsoft.com/v1.0/servicePrincipals(appId='ceb96a54-de95-49a0-b38c-c55263fcf421')/appRoleAssignments/ep6PKgGvOkGVksMuwOXBpxV3dkHvwM1ElSjMUzZtaIA

Response

The following example shows the response. It shows a client service principal named Postman has been granted an app role with the ID df021288-bdef-4463-88db-98f22de89214 which is the User.Read.All application permission, for the resource service principal named Microsoft Graph.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-Type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('ceb96a54-de95-49a0-b38c-c55263fcf421')/appRoleAssignments/$entity",
    "id": "ep6PKgGvOkGVksMuwOXBpxV3dkHvwM1ElSjMUzZtaIA",
    "deletedDateTime": null,
    "appRoleId": "df021288-bdef-4463-88db-98f22de89214",
    "createdDateTime": "2023-02-24T17:01:47.0988029Z",
    "principalDisplayName": "Postman",
    "principalId": "2a8f9e7a-af01-413a-9592-c32ec0e5c1a7",
    "principalType": "ServicePrincipal",
    "resourceDisplayName": "Microsoft Graph",
    "resourceId": "7408235b-7540-4850-82fe-a5f15ed019e2"
}

Example 3: Get details of an app role granted to the signed-in user

Request

The following request queries the signed-in user's appRoleAssignments.

HTTP

GET https://graph.microsoft.com/v1.0/me/appRoleAssignments/Lo6gEKI-4EyAy9X91LBepo6Aq0Rt6QxBjWRl76txk8I

C#

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

CLI

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Go

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Java

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

JavaScript

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PHP

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PowerShell

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Python

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Response

The following example shows the response. It shows the signed-in user has the default app role for a resource service principal named Postman.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-Type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('10a08e2e-3ea2-4ce0-80cb-d5fdd4b05ea6')/appRoleAssignments/$entity",
    "id": "Lo6gEKI-4EyAy9X91LBepo6Aq0Rt6QxBjWRl76txk8I",
    "deletedDateTime": null,
    "appRoleId": "00000000-0000-0000-0000-000000000000",
    "createdDateTime": "2022-09-08T17:43:57.8423817Z",
    "principalDisplayName": "MOD Administrator",
    "principalId": "10a08e2e-3ea2-4ce0-80cb-d5fdd4b05ea6",
    "principalType": "User",
    "resourceDisplayName": "Postman",
    "resourceId": "2a8f9e7a-af01-413a-9592-c32ec0e5c1a7"
}