Aug 01 2024 02:14 AM
For an inventory script, I use servicePrincipals?$expand=appRoleAssignedTo to get all serviceprinciples including "approleassignedTo" info.
To make an inventory of the approle assignments, I loop through all apps (~2250) and for each app, I loop through approles, and foreach approle I loop through appRoleAssignedTo data.
In my environment this results in ~3000 approle assignments.
When I analyze the result, I estimate 5% of role assignments are missing.
I do see all roles, just not all roleassignments. When I look up a missing assignments in the Entra portal I do see them.
The missing role assignment aren't special, they are assigned to normal Entra ID groups like other assigned approles.
When I rerun the script, the same assignments are missing each time.
When I don't use $expand query parameter, but query the data directly using 'servicePrincipals/{id}/appRoleAssignedTo', I do get all assignments.
Did I run into a bug?
Aug 01 2024 08:16 AM
Aug 02 2024 12:15 AM
Aug 05 2024 11:10 AM
I was finally able to dig a bit deeper.
I added a routine to query the data directly and store the result in a table in memory.
then count the entries for each app with $expand and direct data.
I found that around 10% of the $expand data is missing app role assignments and see that the $expand method sometimes misses the only approle assignment configured on an app.
I don't think the cause is the documented approle limit.
I changed my script not to use the $expand query parameter for appRoleaAssignedTo data.
So data is now 100% correct. but script is a bit slower.
thanks again @VasilMichev !