Let's say an app has some users and groups assigned to it. From MS tech docs, I understand that direct users of the assigned group are also treated as a member of the application. When I issue /users/{id}/appRoleAssignments API call for the user who is a direct member of the assigned group, I can confirm that the response contains the list of applications where this user is directly and indirectly (via Group) assigned. If I try the reverse API call - to see the list of users assigned to the application using /servicePrincipals(appId='{App ID}')/appRoleAssignedTo, It lists only the direct users assigned to the application. It doesn't list the direct users of the group.
I am wondering if there's a plan to output expanded group members in the /servicePrincipals(appId='{appId}')/appRoleAssignedTo API call response to make the developer's life easier. If not, We will have to either query the group's members in addition or perform /users/{id | userPrincipalName}/appRoleAssignments API for each and every user and group in the directory which will be super expensive. We are trying to see a better technical solution that's transitive and consistent in either direction.
I noticed from Azure Active Directory UI that the applications tab for a user shows both direct and indirect assignments (direct members of the group). This is the response, we are trying to achieve in a single API call. Azure AD Developer Support Engineer from MS mentioned it uses internal API for display and external customers can't leverage it.
Follow up to https://learn.microsoft.com/en-us/answers/questions/1289709/discrepancy-in-approleassignments-and-approleassig