servicePrincipals?$expand=appRoleAssignedTo incomplete result

Copper Contributor

For an inventory script, I use servicePrincipals?$expand=appRoleAssignedTo to get all serviceprinciples including "approleassignedTo" info.

To make an inventory of the approle assignments, I loop through all apps (~2250) and for each app, I loop through approles, and foreach approle I loop through appRoleAssignedTo data.

In my environment this results in ~3000 approle assignments.

 

When I analyze the result, I estimate 5% of role assignments are missing.
I do see all roles, just not all roleassignments. When I look up a missing assignments in the Entra portal I do see them.
The missing role assignment aren't special, they are assigned to normal Entra ID groups like other assigned approles.

 

When I rerun the script, the same assignments are missing each time.

 

When I don't use $expand query parameter, but query the data directly using 'servicePrincipals/{id}/appRoleAssignedTo', I do get all assignments.

 

Did I run into a bug?

3 Replies
$expand has known limitations, it returns 20 to 100 entries max. See for example here: https://developer.microsoft.com/en-us/graph/known-issues/?search=13635
Thanks for your answer!
sorry for the double post on the other forum, i couldn't remove it there.
I think this is the place for an issue like this.

back to the issue:
I added a counter to assignedroles for each app to the inventory script, to see if the max i got was 20. Weirdly enough it wasn't, from 250 apps with roles assigned, 10% of them had more 20 than assingedTo entries (up to 160).
The app where i noticed first some assignments were missing showed 10, but had 13 assignedTo entries in reality.

The limit in the documentation isn't as hard is it is stated it seems and with the app with only 13 assignments still missing some, it might be a different issue.

I'll dig a bit deeper to see if I can find the difference for all role assignment between $expand and direct query data.
performance is quite important to me, if i can find the lowest number of assignments that is correct, I'll trust that number, everything above I query directly.

ill share my findings here.
or did I overlook something?

I was finally able to dig a bit deeper.
I added a routine to query the data directly and store the result in a table in memory.
then count the entries for each app with $expand and direct data.

 

I found that around 10% of the $expand data is missing app role assignments and see that the $expand method sometimes misses the only approle assignment configured on an app.
I don't think the cause is the documented approle limit.

 

I changed my script not to use the $expand query parameter for appRoleaAssignedTo data.
So data is now 100% correct. but script is a bit slower.

 

thanks again @VasilMichev !