Search code examples
c#asp.net-coremicrosoft-graph-apiazure-ad-graph-apimicrosoft-entra-id

Microsoft Graph API - Get users with specified app roles

I have a question about the Graph API. I need to download all users who have been assigned the app role "Role" in "ApplicationA". I need it to download all users with the required app role to send an email. I have tried various ways, through the list of users using the following API:

https://graph.microsoft.com/v1.0/users?$expand=appRoleAssignments&$count=true&$filter=appRoleAssignments/any(w:w/appRoleId eq {guid})

However this returns the following error, I have of course tried similar options.

{
    "error": {
        "code": "Request_UnsupportedQuery",
        "message": "Property 'appRoleId' does not exist as a declared property or extension property.",
        "innerError": {
            "date": "2024-02-28T20:49:49",
            "request-id": "bf8991a4-82e9-4136-9664-1cebc1718ae0",
            "client-request-id": "bf8991a4-82e9-4136-9664-1cebc1718ae0"
        }
    }
}

I also tried using servicePrincipals. But this returns all users/applications assigned to the service principal and not just the role I need, and the filtering I tried with OData didn't work. Many items is downloaded:

https://graph.microsoft.com/v1.0/servicePrincipals(appId='{guid}')/appRoleAssignedTo

Do you know of a better solution? Thanks

Solution

  • It seems that getting users with specified app roles is not supported yet. And the API document doesn't have a description which support the filter.

    enter image description here

    Therefore, we can only do the filter by ourselves. Code snippet below worked in my side.

    using Microsoft.Graph;
using Azure.Identity;

var scopes = new[] { "https://graph.microsoft.com/.default" };
var tenantId = "tenantId ";
var clientId = "clientId ";
var clientSecret = "clientSecret ";
var clientSecretCredential = new ClientSecretCredential(
                tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);
var res = await graphClient.Users.GetAsync((requestConfiguration) =>
{
    requestConfiguration.QueryParameters.Expand = new string[] { "appRoleAssignments($select=appRoleId,resourceDisplayName)" };
});
List<User> users = new List<User>();
foreach (var tempUser in res.Value) {
    var roles = tempUser.AppRoleAssignments;
    foreach(var role in roles) {
        if (role.AppRoleId.ToString() == "role_id_here")
        {
            users.Add(tempUser);
            break;
        }
    }
}