Cli-microsoft365: New command: aad appRoleAssignment list

Hey Paul @pschaeflein, this is a great suggestion. I can see it in action when doing tenant audits.

Are you aware of a REST API (something in MS Graph) or PS Cmdlet we can have a look as a reference? The document you have shared has an overview, but I could not find any links to a specific API or something we can use to get the APIs docs.

I also tried to scan the Microsoft Graph docs very quicky, but I could not find it under the app sections. If you can point me to such API doc or cmdlet, that would be highly beneficial.

Very nice suggestion @pschaeflein 👏

You can get app role assignments by calling GET https://graph.windows.net/myorganization/servicePrincipals/030d1fe5-e09d-4ffb-abdc-d88d5305fd99/appRoleAssignments?api-version=1.6. ~So far however, I haven't been enable to figure out where you can get the assigned scopes.~

The assigned role is in the id property of the returned appRoleAssignment. To get its display name, you need to call:

GET https://graph.windows.net/myorganization/servicePrincipals/bf2b50e4-da2c-4c2b-8f0e-90c8b8396f5a/appRoles

and find the appRole with the matching id from the appRoleAssignments call. The ID of the servicePrincipal in the second call can be retrieved by calling:

GET https://graph.windows.net/myorganization/servicePrincipals?api-version=1.6&$filter=id eq 'resourceId from the appRoleAssignments call' and then retrieving its objectId

Once we have this command, we could consider adding another command that would return both oauth2grants and appRoleAssignments, the same way you get in the Azure portal so that you don't need to know the intricacies of the AAD Graph if all you're interested in are the permissions assigned to your service principals.

I do have notes on how to do this using Microsoft Graph instead of the AAD Graph that Waldek shows. Same idea, just different endpoints. And if the app was created as multi-tenant, then get interesting.

I'm happy to work on this. I created the issue to see if there was interest.

@pschaeflein aren't the Graph endpoints for this still in beta? Ideally, we should avoid working with beta endpoints in case they change without any upfront notice. When things get stable, we can always port them over to the Graph.

What's special about multi-tenant apps? I believe the app I used in my research was multi-tenant and I haven't found anything but perhaps missed something 😉

I'd love to have you help us with getting it in and I think it would be a great addition for managing properties of AAD apps 👍

The twist in multi-tenant is that the appId that the developer uses (and is registered in the developer tenant) is not used to get the service principal. You have to do something like servicePrincipals?$filter=appid eq '[appId]'. This may not be an issue if piped from aad sp get - but haven't dug into it yet.

You're right about servicePrincipals being in /beta. Not sure why I thought that went GA.

Right, so this is how I was getting to the service principal in my tests, which is why I haven't noticed anyting unusual. The good thing is that, as you noticed, we have all the code available already in aad sp get which we can reuse here. 💪

Hey @pschaeflein, how are things progressing? Need help with anything?

Hey @pschaeflein are you still working on this?

Yes, I have some code written. I will get a PR ready this week. Thanks for the nudge.

Awesome! Looking forward to it 👍

@pschaeflein I did initial test of the command and it worked like a charm for multi-tenant applications and did not return any output for apps that are not set as multi-tenant. I wanted to check with you if this is the desired behavior?

App roles are "Application" permissions (as opposed to "Delegated", which would be the OAuth2Grant list). Does your single-tenant app have Application permissions consented?

@pschaeflein, this is my bad. It looks like when I consent permissions I have to wait at least 5 mins before doing any testing :)