Search code examples
azureactive-directoryazure-active-directoryazure-cli

Where to see a list of Azure AD roles that a serivice princple have?

enter image description here

As shown in the picture, I'm in "Azure AD" -> "Enterprise applications" blade -> then open up my service principle details.

All I want to know is what Azure AD role (not Azure role RBAC) does this SP currently has.

I checked the "Roles and administrators" blade, looks like all it does is show a list of what role can be assigned to this SP but not what has already been assigned.

To me, this blade is so misleading and useless. (I was thinking this SP has already assigned this many roles....)

I even tried the "az ad sp show" command, it does not show what Azure AD role is assigned to this SP neither.

Where can I see it then?

Solution

  • I'm not sure that you can see this from the Portal, but you can find out with the below. Get-AzureAdMsRoleAssignment requires the AzureADPreview module

    # the Enterprise Application's object ID
$appObjectId = ""

$roles = @()
$rolesAssignedId = (Get-AzureAdMsRoleAssignment -filter "PrincipalId eq '$appObjectId'").RoleDefinitionId
foreach ($roleId in $rolesAssignedId)
{
    $roleName = (Get-AzureADDirectoryRoleTemplate | where {$_.ObjectId -eq $roleId}).DisplayName
    $roles += $roleName
}
$roles