Azure RBAC Rest API call to get Object Type

Question

I am using this call https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01 to get role assignment of subscription. The output is of this gives principalId and other values

Question is How can I differentiate the principalId is user principal or serviceprincipal?

This is needed to for me to query graph api to get appid (if service principle) or display name , upn ( if user principle).

Graph APi has 2 different call for this hence while automating I need to know which one to be called based on object type.

User: https://graph.windows.net/microsoft.com/users/principalid?api-version=1.6

Service Pricipal: https://graph.windows.net/microsoft.com/servicePrincipals/principalid?api-version=1.6

Try both and it's the one that is not a 404? :D Seriously though, seems like there is no property on the role assignment that specifies if it's a user, service principal or a group. Yeah it can be a group too. — juunas

Tom Sun - MSFT Tom Sun - MSFT · Accepted Answer · 2018-08-01T07:54:32

Graph APi has 2 different call for this hence while automating I need to know which one to be called based on object type.

Based on my understanding, you could use the Objects - Get Objects By Object Ids Rest API to get the objects by principleid, no need to call 2 different calls. You also could get the object type from the response.

POST https://graph.windows.net/{tenantID}/getObjectsByObjectIds?api-version=1.6

I test with 2 principalids, one is the service principal and another is user.

Test Result:

Azure RBAC Rest API call to get Object Type

1 Answers