title | description | ms.localizationpriority | doc_type | ms.subservice | author |
---|---|---|---|---|---|
appRoleAssignment resource type |
Used to record when a user, group, or service principal is assigned to an app role on an application's service principal. You can create, read, and delete app role assignments. |
high |
resourcePageType |
entra-applications |
psignoret |
Namespace: microsoft.graph
Used to record when a user, group, or service principal is assigned an app role for an app.
An app role assignment is a relationship between the assigned principal (a user, a group, or a service principal), a resource application (the app's service principal) and an app role defined on the resource application.
When the app role that has been assigned to a principal has a nonempty value property, it's included in the roles claim of tokens where the subject is the assigned principal (for example, SAML responses, ID tokens, access tokens identifying a signed-in user, or an access token identifying a service principal). Applications and APIs use these claims as part of their authorization logic.
A user can be assigned an app role directly. If an app role is assigned to a group, direct members of the group are also considered to have been assigned the app role. When a user is assigned an app role for an application, a tile for that application is displayed in the user's MyApps portal and Microsoft 365 app launcher.
An app role assignment where the assigned principal is a service principal is an app-only permission grant. When a user or admin consents to an app-only permission, an app role assignment is created where the assigned principal is the service principal for the client application, and the resource is the target API's service principal.
Property | Type | Description |
---|---|---|
appRoleId | Guid | The identifier (id) for the app role that's assigned to the principal. This app role must be exposed in the appRoles property on the resource application's service principal (resourceId). If the resource application hasn't declared any app roles, a default app role ID of 00000000-0000-0000-0000-000000000000 can be specified to signal that the principal is assigned to the resource app without any specific app roles. Required on create. |
createdDateTime | DateTimeOffset | The time when the app role assignment was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . Read-only. |
deletedDateTime | DateTimeOffset | The date and time when the app role assignment was deleted. Always null for an appRoleAssignment object that hasn't been deleted. Inherited from directoryObject. |
id | String | A unique identifier for the appRoleAssignment key. Not nullable. Read-only. |
principalDisplayName | String | The display name of the user, group, or service principal that was granted the app role assignment. Read-only. Supports $filter (eq and startswith ). |
principalId | Guid | The unique identifier (id) for the user, security group, or service principal being granted the app role. Security groups with dynamic memberships are supported. Required on create. |
principalType | String | The type of the assigned principal. This can either be User , Group , or ServicePrincipal . Read-only. |
resourceDisplayName | String | The display name of the resource app's service principal to which the assignment is made. |
resourceId | Guid | The unique identifier (id) for the resource service principal for which the assignment is made. Required on create. Supports $filter (eq only). |
The following JSON representation shows the resource type.
{
"appRoleId": "Guid",
"createdDateTime": "String (timestamp)",
"deletedDateTime": "String (timestamp)",
"id": "String",
"principalDisplayName": "String",
"principalId": "Guid",
"principalType": "String",
"resourceDisplayName": "String",
"resourceId": "Guid"
}