List appRoleAssignments granted to a user
Article
08/02/2022
3 minutes to read
8 contributors
In this article
Namespace: microsoft.graph
Retrieve the list of appRoleAssignment that a user has been granted. This operation also returns app roles assigned to groups that the user is a direct member of.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions .
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
User.ReadBasic.All, Directory.Read.All, AppRoleAssignment.ReadWrite.All
Delegated (personal Microsoft account)
Not supported.
Application
Directory.Read.All, AppRoleAssignment.ReadWrite.All
HTTP request
GET /users/{id | userPrincipalName}/appRoleAssignments
Optional query parameters
This method supports the OData query parameters to help customize the response.
Name
Description
Authorization
Bearer {token}. Required.
Request body
Do not supply a request body for this method.
Response
If successful, this method returns a 200 OK response code and a collection of appRoleAssignment objects in the response body.
Examples
Example 1: List appRoleAssignments granted to a user
Request
Here is an example of the request to retrieve the app roles that have been assigned to a user.
GET https://graph.microsoft.com/v1.0/users/6e7b768e-07e2-4810-8459-485f84f8f204/appRoleAssignments
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var appRoleAssignments = await graphClient.Users["{user-id}"].AppRoleAssignments
.Request()
.GetAsync();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
const options = {
authProvider,
};
const client = Client.init(options);
let appRoleAssignments = await client.api('/users/6e7b768e-07e2-4810-8459-485f84f8f204/appRoleAssignments')
.get();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
AppRoleAssignmentCollectionPage appRoleAssignments = graphClient.users("6e7b768e-07e2-4810-8459-485f84f8f204").appRoleAssignments()
.buildRequest()
.get();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
result, err := graphClient.UsersById("user-id").AppRoleAssignments().Get()
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
<?php
// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);
$requestResult = $graphServiceClient->usersById('user-id')->appRoleAssignments()->get();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
Response
The following is an example of the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"value": [
{
"id": "41W1zT6z1U-kJxf62svfp1HFE8pMZhxDun-ThPczmJE",
"deletedDateTime": null,
"appRoleId": "00000000-0000-0000-0000-000000000000",
"createdDateTime": "2021-02-02T04:22:45.9480566Z",
"principalDisplayName": "Alex Wilber",
"principalId": "cdb555e3-b33e-4fd5-a427-17fadacbdfa7",
"principalType": "User",
"resourceDisplayName": "dxprovisioning-graphapi-client",
"resourceId": "8e881353-1735-45af-af21-ee1344582a4d"
}
]
}
Example 2: List appRoleAssignments granted to a user, filtered by resourceId
Request
Here is an example of the request to retrieve the app roles that have been assigned to a user, filtering by a resourceId, which is a GUID type.
GET https://graph.microsoft.com/v1.0/users/cdb555e3-b33e-4fd5-a427-17fadacbdfa7/appRoleAssignments?$filter=resourceId eq 8e881353-1735-45af-af21-ee1344582a4d
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var appRoleAssignments = await graphClient.Users["{user-id}"].AppRoleAssignments
.Request()
.Filter("resourceId eq 8e881353-1735-45af-af21-ee1344582a4d")
.GetAsync();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
const options = {
authProvider,
};
const client = Client.init(options);
let appRoleAssignments = await client.api('/users/cdb555e3-b33e-4fd5-a427-17fadacbdfa7/appRoleAssignments')
.filter('resourceId eq 8e881353-1735-45af-af21-ee1344582a4d')
.get();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
AppRoleAssignmentCollectionPage appRoleAssignments = graphClient.users("cdb555e3-b33e-4fd5-a427-17fadacbdfa7").appRoleAssignments()
.buildRequest()
.filter("resourceId eq 8e881353-1735-45af-af21-ee1344582a4d")
.get();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestParameters := &graphconfig.AppRoleAssignmentsRequestBuilderGetQueryParameters{
Filter: "resourceId eq 8e881353-1735-45af-af21-ee1344582a4d",
}
configuration := &graphconfig.AppRoleAssignmentsRequestBuilderGetRequestConfiguration{
QueryParameters: requestParameters,
}
result, err := graphClient.UsersById("user-id").AppRoleAssignments().GetWithRequestConfigurationAndResponseHandler(configuration, nil)
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
Import-Module Microsoft.Graph.Applications
Get-MgUserAppRoleAssignment -UserId $userId -Filter "resourceId eq 8e881353-1735-45af-af21-ee1344582a4d" -OutFile $outFileId
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
<?php
// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);
$requestConfiguration = new AppRoleAssignmentsRequestBuilderGetRequestConfiguration();
$queryParameters = new AppRoleAssignmentsRequestBuilderGetQueryParameters();
$queryParameters->filter = "resourceId eq 8e881353-1735-45af-af21-ee1344582a4d";
$requestConfiguration->queryParameters = $queryParameters;
$requestResult = $graphServiceClient->usersById('user-id')->appRoleAssignments()->get($requestConfiguration);
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
Response
The following is an example of the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#appRoleAssignments",
"value": [
{
"id": "41W1zT6z1U-kJxf62svfp1HFE8pMZhxDun-ThPczmJE",
"createdDateTime": "2021-02-02T04:22:45.9480566Z",
"appRoleId": "00000000-0000-0000-0000-000000000000",
"principalDisplayName": "MOD Administrator",
"principalId": "cdb555e3-b33e-4fd5-a427-17fadacbdfa7",
"principalType": "User",
"resourceDisplayName": "dxprovisioning-graphapi-client",
"resourceId": "8e881353-1735-45af-af21-ee1344582a4d"
}
]
}