Better handling of discrepancy in /appRoleAssignments and /appRoleAssignedTo API response

Better handling of discrepancy in /appRoleAssignments and /appRoleAssignedTo API response



 Jun 01 2023

Let's say an app has some users and groups assigned to it. From MS tech docs, I understand that direct users of the assigned group are also treated as a member of the application. When I issue /users/{id}/appRoleAssignments API call for the user who is a direct member of the assigned group, I can confirm that the response contains the list of applications where this user is directly and indirectly (via Group) assigned. If I try the reverse API call - to see the list of users assigned to the application using /servicePrincipals(appId='{App ID}')/appRoleAssignedTo, It lists only the direct users assigned to the application. It doesn't list the direct users of the group. 


I am wondering if there's a plan to output expanded group members in the /servicePrincipals(appId='{appId}')/appRoleAssignedTo API call response to make the developer's life easier. If not, We will have to either query the group's members in addition or perform /users/{id | userPrincipalName}/appRoleAssignments API for each and every user and group in the directory which will be super expensive. We are trying to see a better technical solution that's transitive and consistent in either direction.


I noticed from Azure Active Directory UI that the applications tab for a user shows both direct and indirect assignments (direct members of the group). This is the response, we are trying to achieve in a single API call. Azure AD Developer Support Engineer from MS mentioned it uses internal API for display and external customers can't leverage it.


Follow up to


Screen Shot 2023-05-22 at 6.49.53 PM.pngScreen Shot 2023-05-22 at 6.50.06 PM.pngScreen Shot 2023-05-22 at 6.53.29 PM.pngScreen Shot 2023-05-22 at 6.58.20 PM.pngScreen Shot 2023-05-23 at 11.37.27 AM.png