TenLens
Back to script library
Entra / Microsoft 365 · Applications

Report service principal assignments

Example script to demonstrate how to report the assignments of users and groups to Entra ID enterprise applications.

Connect & set up

Run these once per session. All scopes are read-only unless the script makes changes.

Connect-MgGraph -NoWelcome -Scopes Directory.Read.All, Application.Read.All

Run it

The main script. Copy it, or download the .ps1 and run it from your console.

param(
    [string] $TenantId = (Get-MgOrganization).Id
)
 
Connect-MgGraph -NoWelcome -Scopes Directory.Read.All, Application.Read.All
 
[array]$ServicePrincipals = Get-MgServicePrincipal -All
 
If ($ServicePrincipals) {
    # This filter finds enterprise apps where app role assignment is required. If you want to report
    # assignments for all enterprise apps, remove the clause that looks for $_.AppRoleAssignmentRequired to be True
    [array]$EnterpriseApps = $ServicePrincipals | Where-Object {$_.AppOwnerOrganizationId -ne $TenantId -and $_.AppRoleAssignmentRequired -eq $True} | `
        Sort-Object DisplayName
    Write-Host ("Analyzing assignments for {0} Enterprise Apps..." -f $EnterpriseApps.count)
    $Report = [System.Collections.Generic.List[Object]]::new()
    $CSVOutputFile = "C:\temp\ServicePrincipalAssignments.CSV"
} Else {
    Write-Host "Can't find any service principals - exiting"; break
}
[int]$i = 0
ForEach ($App in $EnterpriseApps) {
    [array]$Assignments = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $App.Id | `
            Where-Object {$_.PrincipalType -ne 'ServicePrincipal'}
    If ($Assignments) {
        $i++
        Write-Host ("Found assignments for {0}" -f $App.DisplayName)
        ForEach ($Assignment in $Assignments) {
            $ReportLine = [PSCustomObject]@{
                TimeStamp   = $Assignment.CreatedDateTime
                Id          = $Assignment.Id
                DisplayName = $Assignment.PrincipalDisplayName
                UserId      = $Assignment.PrincipalId
                Type        = $Assignment.PrincipalType
                Resource    = $Assignment.ResourceDisplayName
                ResourceId  = $Assignment.ResourceId
            }
            $Report.Add($ReportLine)
        }
    }
}
 
$Report | Select-Object Resource, DisplayName, TimeStamp, Id, ResourceId | Out-GridView
Write-Host ("Found {0} assignments - data available in {1}" -f $i, $CSVOutputFile)
$Report | Export-CSV -NoTypeInformation $CSVOutputFile

Parameters

ParameterDefaultNotes
-TenantId(Get-MgOrganization).IdMicrosoft Entra tenant ID for app-only Graph authentication.
Attribution
Author
Office365itpros
Related scripts
Entra / Microsoft 365 · Exchange Online

Add contacts to mailboxes

Copies organizational contacts from a SharePoint list into Exchange user mailboxes for newly licensed users, using app-only Microsoft Graph permissions.

Entra / Microsoft 365 · Applications

Add owners to apps

Finds Entra ID app registrations without owners and assigns the last modifier or creator as owner, using unified audit log records to identify who last managed each app.

Entra / Microsoft 365 · Teams

Add Teams to group expiration policy

Adds Microsoft Teams whose backing groups are not yet covered by the Microsoft 365 group expiration policy.