'Where to see a list of Azure AD roles that a serivice princple have?

enter image description here

As shown in the picture, I'm in "Azure AD" -> "Enterprise applications" blade -> then open up my service principle details.

All I want to know is what Azure AD role (not Azure role RBAC) does this SP currently has.

I checked the "Roles and administrators" blade, looks like all it does is show a list of what role can be assigned to this SP but not what has already been assigned.

To me, this blade is so misleading and useless. (I was thinking this SP has already assigned this many roles....)

I even tried the "az ad sp show" command, it does not show what Azure AD role is assigned to this SP neither.

Where can I see it then?

azureactive-directoryazure-active-directoryazure-cli


Solution 1:[1]

I'm not sure that you can see this from the Portal, but you can find out with the below. Get-AzureAdMsRoleAssignment requires the AzureADPreview module

# the Enterprise Application's object ID
$appObjectId = ""

$roles = @()
$rolesAssignedId = (Get-AzureAdMsRoleAssignment -filter "PrincipalId eq '$appObjectId'").RoleDefinitionId
foreach ($roleId in $rolesAssignedId)
{
    $roleName = (Get-AzureADDirectoryRoleTemplate | where {$_.ObjectId -eq $roleId}).DisplayName
    $roles += $roleName
}
$roles

Solution 2:[2]

You have a tiny dropdown button next to Search bar, that's where you can toggle between Assignable: yes and Assignable: no.

When you set to no, you see the roles your sp is assigned at AD level. In our case, "Directory readers" & so on., which are AD level roles rather RBAC ones.

AD roles of SP

Solution 3:[3]

This is not done at the SP level, you need to review role assignments at the scope they are assigned (Management Group, Subscription, etc). If you think about it, it makes sense. If you just saw the role Owner, that wouldn't mean much if you didn't see the scope it is assigned to. Owner of an RG is much different than an Owner of a Subscription.

You can download role assignments at a scope in CSV or JSON formats. Follow these steps to download role assignments at a scope.

In the Azure portal, click All services and then select the scope where you want to download the role assignments. For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  • Click the specific resource.
  • Click Access control (IAM).
  • Click Download role assignments to open the Download role assignments pane.

Access control - Download role assignments

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-portal

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 scottwtang
Solution 2 harshavmb
Solution 3 Ken W MSFT

Related Questions