Forum Discussion
servicePrincipals?$expand=appRoleAssignedTo incomplete result
For an inventory script, I use servicePrincipals?$expand=appRoleAssignedTo to get all serviceprinciples including "approleassignedTo" info. To make an inventory of the approle assignments, I loop th...
$expand has known limitations, it returns 20 to 100 entries max. See for example here: https://developer.microsoft.com/en-us/graph/known-issues/?search=13635
Thanks for your answer!
sorry for the double post on the other forum, i couldn't remove it there.
I think this is the place for an issue like this.
back to the issue:
I added a counter to assignedroles for each app to the inventory script, to see if the max i got was 20. Weirdly enough it wasn't, from 250 apps with roles assigned, 10% of them had more 20 than assingedTo entries (up to 160).
The app where i noticed first some assignments were missing showed 10, but had 13 assignedTo entries in reality.
The limit in the documentation isn't as hard is it is stated it seems and with the app with only 13 assignments still missing some, it might be a different issue.
I'll dig a bit deeper to see if I can find the difference for all role assignment between $expand and direct query data.
performance is quite important to me, if i can find the lowest number of assignments that is correct, I'll trust that number, everything above I query directly.
ill share my findings here.
or did I overlook something?
sorry for the double post on the other forum, i couldn't remove it there.
I think this is the place for an issue like this.
back to the issue:
I added a counter to assignedroles for each app to the inventory script, to see if the max i got was 20. Weirdly enough it wasn't, from 250 apps with roles assigned, 10% of them had more 20 than assingedTo entries (up to 160).
The app where i noticed first some assignments were missing showed 10, but had 13 assignedTo entries in reality.
The limit in the documentation isn't as hard is it is stated it seems and with the app with only 13 assignments still missing some, it might be a different issue.
I'll dig a bit deeper to see if I can find the difference for all role assignment between $expand and direct query data.
performance is quite important to me, if i can find the lowest number of assignments that is correct, I'll trust that number, everything above I query directly.
ill share my findings here.
or did I overlook something?
I was finally able to dig a bit deeper.
I added a routine to query the data directly and store the result in a table in memory.
then count the entries for each app with $expand and direct data.I found that around 10% of the $expand data is missing app role assignments and see that the $expand method sometimes misses the only approle assignment configured on an app.
I don't think the cause is the documented approle limit.I changed my script not to use the $expand query parameter for appRoleaAssignedTo data.
So data is now 100% correct. but script is a bit slower.thanks again VasilMichev !