Get-PnPEntraIDServicePrincipalAppRoleAssignment
SYNOPSIS
Required Permissions
- Microsoft Graph API: permissions to read the enterprise application, such as
Application.Read.All,Application.ReadWrite.All,Directory.Read.All, orDirectory.ReadWrite.All. Depending on how you identify the target principal, additional permissions such asUser.Read.All,User.ReadWrite.All,Group.Read.All, orGroup.ReadWrite.Allcan be required.
Gets app role assignments configured on an enterprise application for a specific Entra ID user or group.
SYNTAX
User
Get-PnPEntraIDServicePrincipalAppRoleAssignment -User <EntraIDUserPipeBind> [-AppRole <ServicePrincipalAvailableAppRoleBind>] [-Resource <ServicePrincipalPipeBind>] [-Connection <PnPConnection>]
Group
Get-PnPEntraIDServicePrincipalAppRoleAssignment -Group <EntraIDGroupPipeBind> [-AppRole <ServicePrincipalAvailableAppRoleBind>] [-Resource <ServicePrincipalPipeBind>] [-Connection <PnPConnection>]
DESCRIPTION
Allows retrieval of app role assignments for a specific Entra ID user or group on an enterprise application represented by a service principal.
If you pipe in an app role instance retrieved through Get-PnPEntraIDServicePrincipalAvailableAppRole, the resource service principal is inferred automatically and you can omit -Resource.
EXAMPLES
EXAMPLE 1
Get-PnPEntraIDServicePrincipalAppRoleAssignment -User "john@contoso.com" -Resource "Contoso CRM"
Retrieves all enterprise app role assignments for the user john@contoso.com on the enterprise application Contoso CRM.
EXAMPLE 2
Get-PnPEntraIDServicePrincipalAppRoleAssignment -Group "Sales Team" -Resource "Contoso CRM"
Retrieves all enterprise app role assignments for the group Sales Team on the enterprise application Contoso CRM.
EXAMPLE 3
Get-PnPEntraIDServicePrincipal -AppName "Contoso CRM" | Get-PnPEntraIDServicePrincipalAvailableAppRole -Identity "Reader" | Get-PnPEntraIDServicePrincipalAppRoleAssignment -User "john@contoso.com"
Retrieves the Reader enterprise app role assignment for the user john@contoso.com on the Contoso CRM enterprise application.
PARAMETERS
-User
The id, user principal name, or instance of the Entra ID user for which to retrieve enterprise application assignments.
Type: EntraIDUserPipeBind
Parameter Sets: User
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Group
The id, display name, or group instance of the Entra ID group for which to retrieve enterprise application assignments. This can be a group object returned by Get-PnPEntraIDGroup.
Type: EntraIDGroupPipeBind
Parameter Sets: Group
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False
-AppRole
The object id, value, or instance of the application role to filter the assignments on. When an app role instance is provided through the pipeline, the resource service principal is inferred automatically.
Type: ServicePrincipalAvailableAppRoleBind
Parameter Sets: User, Group
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False
-Resource
The object id, name, or instance of the enterprise application service principal. This parameter can be omitted when an app role instance is provided through the pipeline.
Type: ServicePrincipalPipeBind
Parameter Sets: User, Group
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Connection
Optional connection to be used by the cmdlet. Retrieve the value for this parameter by either specifying -ReturnConnection on Connect-PnPOnline or by executing Get-PnPConnection.
Type: PnPConnection
Parameter Sets: (All)
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
RELATED LINKS
Microsoft 365 Patterns and Practices Microsoft Graph documentation