How to list all appRoleAssignments in Microsoft Graph API or Azure AD Graph API

The appRoleAssignment resource cannot be queried across the entire tenant. It needs to be scoped to a parent resource, either a user, a servicePrincipal, or a group.

Thinking outside the box, you might be able to compile a collection without as much overhead as you're expected. To do this, you'd need to store it outside the AD and periodically refresh the data set.

If you're generally primarily concerned with the user assignments, you could try using /delta queries against user resource list. This would let you only retrieve user resources that have been changed. Once you have a user, you ran retrieve the appRoleAssignment resources for them and store them in your external data store.

For the list of potential appRole resources that might be assigned to a given user, you can get this by retrieving the list of application resources from the tenant and looking at the appRoles property (/beta/applications?$select=appRoles).

For near-real-time changes, you can use the /beta/users/delta and then periodically poll both user and application collections to fully refresh the larger data set.

Keep in mind that this isn't something I've attempted to POC so there may be issues I'm not considering. It is entirely within the /beta endpoint which means API behavior and data sets could change at any time and without warning. That said, it's a very interesting thought exorcise. I'd be curious to hear where you end up with this.

Just to clarify for anyone who might surface this in a search, Azure AD Graph and Microsoft Graph are two separate APIs and user different permission scopes and syntax. In general, developers should be using Microsoft Graph wherever possible as it will eventually supplant the older Azure AD Graph.

I'm not able to upvote or mark an answer is I'm deemed too lowly of reputation to do so. Anyways, big thanks to Marc Lafleur who sent me in the right direction. There seems to be no way to retrieve the app/users list separately, but expanding the appRoleAssignments on the /users call to the Azure Graph API does the trick. Note that there seems no comparable way to do this with the newer Microsoft Graph API :(

This was the call that started the magic working for me:

https://graph.windows.net/my-tenant/users?$expand=appRoleAssignments

This works for me ... (Classic Graph)

 https://graph.windows.net/{tenant-id-AsGuid-NoBraces}/users/{UserId-AsGuid-NoBraces}/appRoleAssignments?api-version=1.6 

The response will be in the users context - so the user will be the principalID .

The application Id will be in the resourceID - This is NOT the application id. This is the objectId that the app registration points to.

(Comments about your situation) Your general dilemma about trying to get the "all list" by querying across all users seems like a real problem at first. I avoided this by using a known list. The reason I chose to use a known list is that there are many other applications in our environment that my app has no knowledge or operational authority to list or manipulate via code. I only work against a known target list of app registrations and their underlying object id. So this is how I avoid your general dilemma.

The Azure Portal (in my case) shows me the underlying id's I need to know about to add to my app specific registrations list.

It is possible this API will work for you - I chose not to use it - but I can't remember why.

https://graph.windows.net/{tenant-id-AsGuid-NoBraces}/servicePrincipals/{AppOBJECTID-AsGuid-NoBraces}/appRolesAssignedTo?api-version=1.6

.