We are trying to figure out all the rights an Azure Active Directory Service Principal (AADSP) has to objects in our Azure tenant.
For example an AADSP might have:
We are hoping that this information to stored in a collection within the Service Principal object. But we have not been able to locate the collection using Azure Graph.
https://graph.microsoft.com/v1.0/servicePrincipals
Is our only option to loop thru all Azure objects and check each object's permission and see which Service Principal have been granted rights?
There's no single API to query all sets of permissions given to a SP: application permissions AKA app roles, Azure AD directory permissions, and Azure RBAC.
You can obtain application permissions using MS Graph List appRoleAssignments operation, Azure AD role assignments trough List unifiedRoleAssignments, and Azure RABC permissions using Azure REST API Permissions - List For Resource operation.
Depending on the set of permissions, you may have to list all resources to find what assignments are available for a given SP.