Skip to content

Script to Export App Role Assignments for Azure AD Integrated Applications to CSV

Azure AD App Role Assignments Export Script

Section titled “Azure AD App Role Assignments Export Script”

This script connects to the Microsoft Graph API to retrieve comprehensive app role assignment data for Azure AD integrated applications. It specifically targets service principals tagged as “WindowsAzureActiveDirectoryIntegratedApp” and exports detailed assignment information to CSV format for auditing and management purposes.


FeatureCapabilityBusiness Value
Targeted App DiscoveryFilters service principals by ‘WindowsAzureActiveDirectoryIntegratedApp’ tagFocuses on relevant enterprise applications only
Enabled App FilteringProcesses only active applicationsEliminates inactive/deprecated app data
Role Assignment ExtractionRetrieves AppRoleId, ResourceDisplayName, PrincipalId, PrincipalDisplayName, PrincipalTypeProvides complete assignment context
CSV ExportStructured data export to desktopEnables easy analysis and reporting

Ideal for: Azure AD administrators, security auditors, and compliance teams

Prerequisites:

  • Microsoft Graph PowerShell SDK installed
  • Global Administrator or Application Administrator role
  • App Registration with required API permissions

Terminal window
$ExportPath = "$home\Desktop\EntAppAssignment.csv"
# Connect to Microsoft Graph API
Connect-MgGraph -Scopes "Application.Read.All", "Directory.Read.All" -TenantId ""
try {
# Get all service principals with tag 'WindowsAzureActiveDirectoryIntegratedApp'
$allApps = Get-MgServicePrincipal -All -Filter "tags/Any(x:x eq 'WindowsAzureActiveDirectoryIntegratedApp')"
# Filter out only enabled apps
$allEnabledApps = $allApps | Where-Object AccountEnabled
$output = @()
foreach ($App in $allEnabledApps) {
if ($App.AppRoleAssignmentRequired) {
# Get app role assignments for apps with 'AppRoleAssignmentRequired' set to true
$appRoleAssignments = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $App.Id |
Select-Object -Property AppRoleId, ResourceDisplayName, PrincipalId, PrincipalDisplayName, PrincipalType
$output += $appRoleAssignments
}
}
# Export the data to a CSV file
$output | Export-Csv -Path $ExportPath -NoTypeInformation
Write-Output "App role assignments exported to $ExportPath successfully."
}
catch {
Write-Output "An error occurred: $($_.Exception.Message)"
}

The generated CSV contains the following columns:

ColumnDescription
AppRoleIdUnique identifier for the application role
ResourceDisplayNameName of the application resource
PrincipalIdUnique identifier of the assigned principal
PrincipalDisplayNameDisplay name of the assigned principal
PrincipalTypeType of principal (User, Group, Service Principal)

  • Review application access permissions
  • Generate reports for security assessments
  • Track role assignment changes over time
  • Identify orphaned role assignments
  • Clean up unnecessary permissions
  • Document current access state

Key Takeaway: This script provides essential visibility into Azure AD application role assignments, enabling better security governance and compliance management through automated reporting capabilities.