Skip to content
Griffin31 Help Center

Script to Export App Role Assignments for Azure AD Integrated Applications to CSV

Azure AD App Role Assignments Export Script

Section titled “Azure AD App Role Assignments Export Script”

Overview

Section titled “Overview”

This script connects to the Microsoft Graph API to retrieve comprehensive app role assignment data for Azure AD integrated applications. It specifically targets service principals tagged as “WindowsAzureActiveDirectoryIntegratedApp” and exports detailed assignment information to CSV format for auditing and management purposes.

Key Features

Section titled “Key Features”
FeatureCapabilityBusiness Value
Targeted App DiscoveryFilters service principals by ‘WindowsAzureActiveDirectoryIntegratedApp’ tagFocuses on relevant enterprise applications only
Enabled App FilteringProcesses only active applicationsEliminates inactive/deprecated app data
Role Assignment ExtractionRetrieves AppRoleId, ResourceDisplayName, PrincipalId, PrincipalDisplayName, PrincipalTypeProvides complete assignment context
CSV ExportStructured data export to desktopEnables easy analysis and reporting

Script Requirements

Section titled “Script Requirements”

Ideal for: Azure AD administrators, security auditors, and compliance teams

Prerequisites:

  • Microsoft Graph PowerShell SDK installed
  • Global Administrator or Application Administrator role
  • App Registration with required API permissions

Implementation

Section titled “Implementation”
Terminal window
$ExportPath = "$home\Desktop\EntAppAssignment.csv"


# Connect to Microsoft Graph API
Connect-MgGraph -Scopes "Application.Read.All", "Directory.Read.All" -TenantId ""


try {
    # Get all service principals with tag 'WindowsAzureActiveDirectoryIntegratedApp'
    $allApps = Get-MgServicePrincipal -All -Filter "tags/Any(x:x eq 'WindowsAzureActiveDirectoryIntegratedApp')"


    # Filter out only enabled apps
    $allEnabledApps = $allApps | Where-Object AccountEnabled


    $output = @()
    foreach ($App in $allEnabledApps) {
        if ($App.AppRoleAssignmentRequired) {
            # Get app role assignments for apps with 'AppRoleAssignmentRequired' set to true
            $appRoleAssignments = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $App.Id |
                                  Select-Object -Property AppRoleId, ResourceDisplayName, PrincipalId, PrincipalDisplayName, PrincipalType
            $output += $appRoleAssignments
        }
    }


    # Export the data to a CSV file
    $output | Export-Csv -Path $ExportPath -NoTypeInformation
    Write-Output "App role assignments exported to $ExportPath successfully."
}
catch {
    Write-Output "An error occurred: $($_.Exception.Message)"
}

Output Structure

Section titled “Output Structure”

The generated CSV contains the following columns:

ColumnDescription
AppRoleIdUnique identifier for the application role
ResourceDisplayNameName of the application resource
PrincipalIdUnique identifier of the assigned principal
PrincipalDisplayNameDisplay name of the assigned principal
PrincipalTypeType of principal (User, Group, Service Principal)

Usage Scenarios

Section titled “Usage Scenarios”

Compliance Auditing

Section titled “Compliance Auditing”
  • Review application access permissions
  • Generate reports for security assessments
  • Track role assignment changes over time

Access Management

Section titled “Access Management”
  • Identify orphaned role assignments
  • Clean up unnecessary permissions
  • Document current access state

Key Takeaway: This script provides essential visibility into Azure AD application role assignments, enabling better security governance and compliance management through automated reporting capabilities.