Scripts/List-AzADAppRoleAssignments.ps1
param( [Parameter(Mandatory = $true)][string] $ClientId = $(throw "ClientId is required"), [Parameter(Mandatory = $false)][string] $RolesAssignedToClientId ) $adApplication = Get-AzADApplication -Filter "AppId eq '$ClientId'" if (!$adApplication) { throw "Active Directory Application for the ClientId '$ClientId' could not be found" } $adServicePrincipal = Get-AzADServicePrincipal -Filter "AppId eq '$ClientId'" if (!$adServicePrincipal) { throw "Active Directory Service Principal for the ClientId '$ClientId' could not be found" } if ($RolesAssignedToClientId -ne '') { $adApplicationRolesAssignedTo = Get-AzADApplication -Filter "AppId eq '$RolesAssignedToClientId'" if (!$adApplicationRolesAssignedTo) { throw "Active Directory Application for the ClientId '$RolesAssignedToClientId' could not be found" } $adServicePrincipalRolesAssignedTo = Get-AzADServicePrincipal -Filter "AppId eq '$RolesAssignedToClientId'" if (!$adServicePrincipalRolesAssignedTo) { throw "Active Directory Service Principal for the ClientId '$RolesAssignedToClientId' could not be found" } } try { if ($adApplication.AppRole.Count -eq 0) { Write-Warning "No roles found in Active Directory Application '$($adApplication.DisplayName)'" } foreach ($appRole in $adApplication.AppRole) { Write-Host "Found role '$($appRole.Value)' on Active Directory Application '$($adApplication.DisplayName)'" -ForegroundColor Green if ($RolesAssignedToClientId -ne '') { $appRoleAssignments = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $adServicePrincipal.Id | Where-Object {($_.AppRoleId -eq $appRole.Id) -and ($_.PrincipalId -eq $adServicePrincipalRolesAssignedTo.Id)} } else { $appRoleAssignments = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $adServicePrincipal.Id | Where-Object AppRoleId -eq $appRole.Id } if ($appRoleAssignments) { foreach ($serviceAppRoleAssignment in $appRoleAssignments) { $servicePrincipal = Get-AzADServicePrincipal -ObjectId $serviceAppRoleAssignment.PrincipalId if ($servicePrincipal -ne $null) { Write-Host "Role '$($appRole.Value)' is assigned to the Active Directory Application '$($serviceAppRoleAssignment.PrincipalDisplayName)' with ID '$($servicePrincipal.AppId)'" -ForegroundColor Green } } } else { Write-Warning "No role assignments found in Active Directory Application '$($adApplication.DisplayName)'" } } } catch { throw "Retrieving the roles for the Active Directory Application with ClientId '$ClientId' failed. Details: $($_.Exception.Message)" } |