Home > Blockchain >  Microsoft.Graph to list users assigned to app
Microsoft.Graph to list users assigned to app

Time:11-05

I'm working on converting our Azure AD powershell scripts to use Graph. This one script I'm not having any success in figuring out how to convert. The script returns all the users assigned to an app.

Here is the original Azure AD script.

Get-AzureADServicePrincipal -SearchString $appName | % {
# Build a hash table of the service principal's app roles. The 0-Guid is
# used in an app role assignment to indicate that the principal is assigned
# to the default app role (or rather, no app role).
  $appRoles = @{ "$([Guid]::Empty.ToString())" = "(default)" }
  $_.AppRoles | % { $appRoles[$_.Id] = $_.DisplayName }
  # Get the app role assignments for this app, and add a field for the app role name
  Get-AzureADServiceAppRoleAssignment -ObjectId ($_.ObjectId) |
    Where-Object PrincipalType -eq "User" | % {  $_ | Add-Member "AppRoleDisplayName" $appRoles[$_.Id] -Passthru } | % { 
    $user = Get-AzureADUser -ObjectId $_.PrincipalId
    $_ | Add-Member "UserPrincipalName" $user.UserPrincipalName -Passthru  }
}

Then using this migration guide, https://learn.microsoft.com/en-us/powershell/microsoftgraph/azuread-msoline-cmdlet-map?source=recommendations&view=graph-powershell-1.0, I converted it to this.

Get-MgServicePrincipal -Filter ("DisplayName eq '"   $appName   "'") | % {
# Build a hash table of the service principal's app roles. The 0-Guid is
# used in an app role assignment to indicate that the principal is assigned
# to the default app role (or rather, no app role).
  $appRoles = @{ "$([Guid]::Empty.ToString())" = "(default)" }
  $_.AppRoles | % { $appRoles[$_.Id] = $_.DisplayName }
  # Get the app role assignments for this app, and add a field for the app role name
  Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId ($_.Id) |
    Where-Object PrincipalType -eq "User" | % {  $_ | Add-Member "AppRoleDisplayName" $appRoles[$_.Id] -Passthru } | % { 
    $user = Get-MgUser -Id $_.PrincipalId
    $_ | Add-Member "UserPrincipalName" $user.UserPrincipalName -Passthru  }
}

I don't get any errors when I run it. However, it returns no results. How do I do this in Microsoft.Graph?

Thanks

CodePudding user response:

Currently you use the wrong cmdlet from my point of view, the Get-MgServicePrincipalAppRoleAssignment cmdlet does:

App role assignment for another app or service, granted to this service principal.

As you filter for PrincipalType -eq "User" you won't get any objects back.

If you only want to list the objects available under "User and Groups" in the portal of the Enterprise Application you can do:

$Assignees = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId [objectIdServicePrincipal] -all

Keep in mind to always specify the parameter -all, otherwise you get max. 100 objects back. Btw. you can assign users and GROUPS so I think you should also lookup the members of the groups assigned (Get-MgGroupTransitiveMember/Get-MgGroupMember)

Page link:https//www.codepudding.com/Blockchain/599757.html

Prev:Trouble parsing .yaml files with powershell
Next:Setting the VirtualHardDiskPath when adding a virtual machine through powershell to Hyper-V
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding