Get-EntraUserAppRoleAssignment
Get a user application role assignment.
Syntax
Default (Default)
Get-EntraUserAppRoleAssignment
-UserId <String>
[-All]
[-Top <Int32>]
[-Property <String[]>]
[<CommonParameters>]
Description
The Get-EntraUserAppRoleAssignment cmdlet gets a user application role assignment.
To perform this operation in delegated scenarios using work or school accounts, the signed-in user must have one of the following least privileged roles, or a custom role with the necessary permissions:
- Guest Inviter - Read app role assignments for users only
- Directory Readers
- Directory Synchronization Accounts - for Microsoft Entra Connect and Microsoft Entra Cloud Sync services
- Directory Writer
- Hybrid Identity Administrator
- Identity Governance Administrator
- Privileged Role Administrator
- User Administrator
- Application Administrator
- Cloud Application Administrator
Examples
Example 1: Get a user application role assignment
Connect-Entra -Scopes 'AppRoleAssignment.ReadWrite.All', 'Directory.Read.All'
Get-EntraUserAppRoleAssignment -UserId 'SawyerM@contoso.com'
DeletedDateTime Id AppRoleId CreatedDateTime PrincipalDisplayName PrincipalId PrincipalType ResourceDisplayName
--------------- -- --------- --------------- -------------------- ----------- ------------- -------------------
0ekrQWAUYUCO7cyiA_A1bC2dE3fH4i 00001111-aaaa-2222-bbbb-3333cccc4444 31-07-2023 04:29:57 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-1
0ekrQWAUYUCO7cyiA_C2dE3fH4iJ5k 11112222-bbbb-3333-cccc-4444dddd5555 12-07-2023 10:09:17 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-2
0ekrQWAUYUCO7cyiA_H4iJ5kL6mN7o 22223333-cccc-4444-dddd-5555eeee6666 13-09-2023 16:41:53 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-5
0ekrQWAUYUCO7cyiA_J5kL6mN7oP8q 33334444-dddd-5555-eeee-6666ffff7777 13-09-2023 17:28:17 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-7
This example retrieves a user application role assignment for the user in $UserId. You can use the command Get-EntraUser to get Service principal Object ID.
-UserIdparameter specifies the object ID of a user(as a UserPrincipalName or ObjectId).
Example 2: Get all application role assignments
Connect-Entra -Scopes 'AppRoleAssignment.ReadWrite.All', 'Directory.Read.All'
Get-EntraUserAppRoleAssignment -UserId 'SawyerM@contoso.com' -All
DeletedDateTime Id AppRoleId CreatedDateTime PrincipalDisplayName PrincipalId PrincipalType ResourceDisplayName
--------------- -- --------- --------------- -------------------- ----------- ------------- -------------------
0ekrQWAUYUCO7cyiA_A1bC2dE3fH4i 00001111-aaaa-2222-bbbb-3333cccc4444 31-07-2023 04:29:57 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-1
0ekrQWAUYUCO7cyiA_C2dE3fH4iJ5k 11112222-bbbb-3333-cccc-4444dddd5555 12-07-2023 10:09:17 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-2
0ekrQWAUYUCO7cyiA_H4iJ5kL6mN7o 22223333-cccc-4444-dddd-5555eeee6666 13-09-2023 16:41:53 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-5
0ekrQWAUYUCO7cyiA_J5kL6mN7oP8q 33334444-dddd-5555-eeee-6666ffff7777 13-09-2023 17:28:17 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-7
This example demonstrates how to retrieve all application role assignment for the specified user.
-UserIdparameter specifies the object ID of a user(as a UserPrincipalName or ObjectId).
Example 3: Get top two application role assignments
Connect-Entra -Scopes 'AppRoleAssignment.ReadWrite.All', 'Directory.Read.All'
Get-EntraUserAppRoleAssignment -UserId 'SawyerM@contoso.com' -Top 2
DeletedDateTime Id AppRoleId CreatedDateTime PrincipalDisplayName PrincipalId PrincipalType ResourceDisplayName
--------------- -- --------- --------------- -------------------- ----------- ------------- -------------------
0ekrQWAUYUCO7cyiA_A1bC2dE3fH4i 00001111-aaaa-2222-bbbb-3333cccc4444 31-07-2023 04:29:57 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-1
0ekrQWAUYUCO7cyiA_C2dE3fH4iJ5k 11112222-bbbb-3333-cccc-4444dddd5555 12-07-2023 10:09:17 Sawyer Miller aaaaaaaa-bbbb-cccc-1111-222222222222 User Test-App-2
This example demonstrates how to retrieve top two application role assignment for the specified user. You can use -Limit as an alias for -Top.
-UserIdparameter specifies the object ID of a user(as a UserPrincipalName or ObjectId).
Example 4: Get application role assignments with selected properties
Connect-Entra -Scopes 'AppRoleAssignment.ReadWrite.All', 'Directory.Read.All'
Get-EntraUserAppRoleAssignment -UserId 'SawyerM@contoso.com' -Property Id,
CreatedDateTime, PrincipalDisplayName, PrincipalType |
Select-Object Id, CreatedDateTime, PrincipalDisplayName, PrincipalType
Id CreatedDateTime PrincipalDisplayName PrincipalType
-- ---------------- -------------------- --------------
0ekrQWAUYUCO7cyiA_A1bC2dE3fH4i 7/30/2024 5:59:16 PM Sawyer Miller User
0ekrQWAUYUCO7cyiA_C2dE3fH4iJ5k 9/19/2024 7:13:24 AM Contoso IT Support Group
This example demonstrates how to retrieve application role assignments for the specified user with selected properties.
-UserIdparameter specifies the object ID of a user(as a UserPrincipalName or ObjectId).
Parameters
-All
List all pages.
Parameter properties
| Type: | System.Management.Automation.SwitchParameter |
| Default value: | False |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Property
Specifies properties to be returned.
Parameter properties
| Type: | System.String[] |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | Select |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Top
Specifies the maximum number of records to return.
Parameter properties
| Type: | System.Int32 |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | Limit |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-UserId
Specifies the ID of a user (as a UserPrincipalName or ObjectId) in Microsoft Entra ID.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | ObjectId, UPN, Identity, UserPrincipalName |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.