Azure AD Graph object ID of multi-tenant app is unique per tenant, how do I get the servicePrincipal ID dynamically?

3
votes

I'm building an AD multi-tenant app and in order to get the data regarding who is assigned to what role within their tenant, I need to query an endpoint that requires a service principal ID. This ID is unique per tenant and I'm trying to fill it in the API link dynamically, just not sure where to get this per tenant.

The API endpoint I'm trying to query:

https://graph.windows.net/{ tenantID }/servicePrincipals/{ service Principal ID to be inserted }/appRoleAssignedTo?api-version=1.6

I've been looking through documentation all day but I can't seem to find a way to get this in a dynamic way per tenant.

2
azureazure-active-directoryazure-ad-graph-api

2 Answers

1
votes

This ID is unique per tenant and I'm trying to fill it in the API link dynamically, just not sure where to get this per tenant.

You are correct that this Service Principal ID is unique per tenant. So the way to query it will be using a property that will not change across all tenants.

As you mention it's a multi-tenant application. So you can use the "appId" of the original application. AppId property will be same for all service principals created across any tenants for this application.

$filter=appId eq '{GUID appId for application}'

Here is a query that I tested with in Azure AD Graph Explorer with api-version selected as 1.6 in the version dropdown

https://graph.windows.net/{tenantName or tenantID}/servicePrincipals?$filter=appId eq '{GUID appId for application}'

So this query can be executed before the other one to get Service Principal ID for a particular tenant, which you can pass into the next query and then find AppRoleAssignments.

0
votes

@Rohit's answer works and is the solution but I just wanted to provide an alternative -- which is the way I've ended up retrieving that tenant Object ID. Querying the following api endpoint:

https://graph.windows.net/myorganization/servicePrincipalsByAppId/
{ appId of the AD app }/objectId?api-version=1.6

The app ID will be the main multi-tenant app registered with the developer's AD group, always the same under every tenant. You can also get it from the token dynamically as the value of the key called 'aud' so this will retrieve a JSON object which will have a key 'value' whose value will contain the unique servicePrincipal under that tenant.