Role Count using Graph Api against a tenantHow to call Microsoft Graph Beta API from C#How do I get the “Assigned Role” of a User in Azure Active Directory?What is the correct way to create a single-instance WPF application?Randomize a List<T>Best way to repeat a character in C#When to use struct?Is there a way to check if a file is in use?Get int value from enum in C#Reading settings from app.config or web.config in .netHow to Sort a List<T> by a property in the objectIs there a reason for C#'s reuse of the variable in a foreach?Why not inherit from List<T>?

Why didn't Miles's spider sense work before?

Why would the Red Woman birth a shadow if she worshipped the Lord of the Light?

How dangerous is XSS?

Why do bosons tend to occupy the same state?

What about the virus in 12 Monkeys?

Is it inappropriate for a student to attend their mentor's dissertation defense?

Little known, relatively unlikely, but scientifically plausible, apocalyptic (or near apocalyptic) events

How to tell a function to use the default argument values?

How do I gain back my faith in my PhD degree?

Detention in 1997

Why doesn't using multiple commands with a || or && conditional work?

Is there an expression that means doing something right before you will need it rather than doing it in case you might need it?

How badly should I try to prevent a user from XSSing themselves?

Why is it a bad idea to hire a hitman to eliminate most corrupt politicians?

Mathematica command that allows it to read my intentions

Can I run a new neutral wire to repair a broken circuit?

Why no variance term in Bayesian logistic regression?

How would I stat a creature to be immune to everything but the Magic Missile spell? (just for fun)

Is the myth that if you can play one instrument, you can learn another instrument with ease true?

Examples of smooth manifolds admitting inbetween one and a continuum of complex structures

Alternative to sending password over mail?

Venezuelan girlfriend wants to travel the USA to be with me. What is the process?

Watching something be piped to a file live with tail

Do UK voters know if their MP will be the Speaker of the House?



Role Count using Graph Api against a tenant


How to call Microsoft Graph Beta API from C#How do I get the “Assigned Role” of a User in Azure Active Directory?What is the correct way to create a single-instance WPF application?Randomize a List<T>Best way to repeat a character in C#When to use struct?Is there a way to check if a file is in use?Get int value from enum in C#Reading settings from app.config or web.config in .netHow to Sort a List<T> by a property in the objectIs there a reason for C#'s reuse of the variable in a foreach?Why not inherit from List<T>?













1















Is there a way to find each role that exists against a tenant and number of users which have been assigned against each role using GraphServiceClient or GraphConnection class? I am using C#.






c# azure azure-active-directory microsoft-graph azure-ad-graph-api







share|improve this question
























  • In your question you have mentioned GraphServiceClient but you had originally tagged only Azure AD Graph API and not Microsoft Graph API. Same way your comment on my other post.. stackoverflow.com/questions/52931467/… mentions graph.windows.net, so I'm not sure which one you're looking for and hence I did both.

    – Rohit Saigal
    Mar 9 at 7:08
















1















Is there a way to find each role that exists against a tenant and number of users which have been assigned against each role using GraphServiceClient or GraphConnection class? I am using C#.






c# azure azure-active-directory microsoft-graph azure-ad-graph-api







share|improve this question
























  • In your question you have mentioned GraphServiceClient but you had originally tagged only Azure AD Graph API and not Microsoft Graph API. Same way your comment on my other post.. stackoverflow.com/questions/52931467/… mentions graph.windows.net, so I'm not sure which one you're looking for and hence I did both.

    – Rohit Saigal
    Mar 9 at 7:08














1












1








1








Is there a way to find each role that exists against a tenant and number of users which have been assigned against each role using GraphServiceClient or GraphConnection class? I am using C#.






c# azure azure-active-directory microsoft-graph azure-ad-graph-api







share|improve this question
















Is there a way to find each role that exists against a tenant and number of users which have been assigned against each role using GraphServiceClient or GraphConnection class? I am using C#.






c# azure azure-active-directory microsoft-graph azure-ad-graph-api




c# azure azure-active-directory microsoft-graph azure-ad-graph-api






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 9 at 7:06









Rohit Saigal

4,3872219




4,3872219










asked Mar 8 at 22:30









FIre PandaFIre Panda

5,30611630




5,30611630












  • In your question you have mentioned GraphServiceClient but you had originally tagged only Azure AD Graph API and not Microsoft Graph API. Same way your comment on my other post.. stackoverflow.com/questions/52931467/… mentions graph.windows.net, so I'm not sure which one you're looking for and hence I did both.

    – Rohit Saigal
    Mar 9 at 7:08


















  • In your question you have mentioned GraphServiceClient but you had originally tagged only Azure AD Graph API and not Microsoft Graph API. Same way your comment on my other post.. stackoverflow.com/questions/52931467/… mentions graph.windows.net, so I'm not sure which one you're looking for and hence I did both.

    – Rohit Saigal
    Mar 9 at 7:08

















In your question you have mentioned GraphServiceClient but you had originally tagged only Azure AD Graph API and not Microsoft Graph API. Same way your comment on my other post.. stackoverflow.com/questions/52931467/… mentions graph.windows.net, so I'm not sure which one you're looking for and hence I did both.

– Rohit Saigal
Mar 9 at 7:08






In your question you have mentioned GraphServiceClient but you had originally tagged only Azure AD Graph API and not Microsoft Graph API. Same way your comment on my other post.. stackoverflow.com/questions/52931467/… mentions graph.windows.net, so I'm not sure which one you're looking for and hence I did both.

– Rohit Saigal
Mar 9 at 7:08













1 Answer
1






active

oldest

votes


















1














Directory Roles - Finding all directory roles and count of their members for tenant



I have given sample code for both Microsoft Graph API (https://graph.microsoft.com) as well as Azure AD Graph API (https://graph.windows.net), but it would be strongly recommended to use newer Microsoft Graph API unless there is something specific that you aren't able to get from it and only then look at Azure AD Graph API.



Look here for more detailed comparisons Microsoft Graph or Azure AD Graph



Here are nuget package and class details, as you've asked in comments:



  • Microsoft.Graph nuget package - to work with Microsoft Graph API and use GraphServiceClient class.


  • Microsoft.Azure.ActiveDirectory.GraphClient nuget package - to work with Azure AD Graph API and use ActiveDirectoryClient class.


Microsoft Graph API



API's - List directoryRoles and List members



var roles = await graphServiceClient.DirectoryRoles.Request().GetAsync();

var members = graphServiceClient.DirectoryRoles[role.Id].Members.Request().GetAsync();


Azure AD Graph API



API's - Get Directory Roles and Get a directory role's members



var directoryRoles = activeDirectoryClient.DirectoryRoles.ExecuteAsync();

var members = await activeDirectoryClient.DirectoryRoles[role.ObjectId].Members.ExecuteAsync();


NOTE: While testing code I also noticed a slight difference in behavior of the 2 API's. Microsoft Graph only returns Users when you ask for members of a directory role. Azure AD Graph on the other hand returned both users and service principals. See my code for a special check in case of Azure AD Graph.



Also note that many of the results you get will be paginated collections, so you may need to handle pagination in case of multiple pages of results.



Application Roles - Finding all Application Roles for an application and then finding Number of users through App Role Assignments.



Application Roles are specific to an application registered in Azure AD. Role Assignments collection for that application can be read by going through the service principal for that application in the tenant.



Azure AD Graph API



App Roles



var app = activeDirectoryClient.Applications["<applicationObjectId>"].ExecuteAsync().Result;
var appRoles = app.AppRoles;


App Role Assignments



ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(new Uri("https://graph.windows.net/<tenantGuid>"),
async () => await GetTokenForApplication());

var servicePrincipal = activeDirectoryClient.ServicePrincipals.Where(x => x.AppId == "<applicationId>").ExecuteAsync().Result.CurrentPage[0];
var appRoleAssignments = activeDirectoryClient.ServicePrincipals[servicePrincipal.ObjectId].AppRoleAssignedTo.ExecuteAsync().Result;
int userCountForApp = 0;
foreach(var appRoleAssignment in appRoleAssignments.CurrentPage)

 if (appRoleAssignment.PrincipalType == "User")
 
 userCountForApp++;
 Console.WriteLine("Role Id = 0 and User Name = 1", appRoleAssignment.Id, appRoleAssignment.PrincipalDisplayName);



Microsoft Graph API



The ability to read all application specific roles assigned to a user (i.e. AppRoleAssignments) is only available as part of Microsoft Graph API beta endpoint. So it's not stable enough to be used in production code and you won't find Client SDK support for C#. Read more specific points in this SO Post by Marc LaFleur



Here are the relevant API's though:



  • AppRoleAssignments

  • AppRoles





share|improve this answer

























  • What package I need to install to get ActiveDirectoryClient? The class which I have is GraphConnection and that doesn't seem to have Applications property.

    – FIre Panda
    Mar 11 at 21:47











  • Also, when I try to call graph.microsoft.com/v1.0/deviceManagement/roleDefinitions using graph explorer, I am getting Request not appliccable to target tenant.

    – FIre Panda
    Mar 11 at 23:20











  • @FIrePanda Microsoft.Azure.ActiveDirectory.GraphClient nuget package to work with Azure AD Graph API and use ActiveDirectoryClient class. Microsoft.Graph package to work with Microsoft Graph API and use GraphServiceClient class. Also, can you please clarify which roles you're interested in? Directory roles assigned to users or some registered Application specific roles assigned to users?

    – Rohit Saigal
    Mar 11 at 23:31












  • So, what is the difference between directory roles and app roles?

    – FIre Panda
    Mar 12 at 20:03






  • 1





    I think my comment about Pagination is for AppRoleAssignments collection as that's what I was working on first while answering, but later realized you're probably looking for directory roles.. take a look at the code where I use foreach(var appRoleAssignment in appRoleAssignments.CurrentPage) Docs link you have for paging about directory roles seems valid.. also AFAIK number of directory role templates is pretty small, so no paging would make sense.

    – Rohit Saigal
    Mar 25 at 23:15











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55071897%2frole-count-using-graph-api-against-a-tenant%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














Directory Roles - Finding all directory roles and count of their members for tenant



I have given sample code for both Microsoft Graph API (https://graph.microsoft.com) as well as Azure AD Graph API (https://graph.windows.net), but it would be strongly recommended to use newer Microsoft Graph API unless there is something specific that you aren't able to get from it and only then look at Azure AD Graph API.



Look here for more detailed comparisons Microsoft Graph or Azure AD Graph



Here are nuget package and class details, as you've asked in comments:



  • Microsoft.Graph nuget package - to work with Microsoft Graph API and use GraphServiceClient class.


  • Microsoft.Azure.ActiveDirectory.GraphClient nuget package - to work with Azure AD Graph API and use ActiveDirectoryClient class.


Microsoft Graph API



API's - List directoryRoles and List members



var roles = await graphServiceClient.DirectoryRoles.Request().GetAsync();

var members = graphServiceClient.DirectoryRoles[role.Id].Members.Request().GetAsync();


Azure AD Graph API



API's - Get Directory Roles and Get a directory role's members



var directoryRoles = activeDirectoryClient.DirectoryRoles.ExecuteAsync();

var members = await activeDirectoryClient.DirectoryRoles[role.ObjectId].Members.ExecuteAsync();


NOTE: While testing code I also noticed a slight difference in behavior of the 2 API's. Microsoft Graph only returns Users when you ask for members of a directory role. Azure AD Graph on the other hand returned both users and service principals. See my code for a special check in case of Azure AD Graph.



Also note that many of the results you get will be paginated collections, so you may need to handle pagination in case of multiple pages of results.



Application Roles - Finding all Application Roles for an application and then finding Number of users through App Role Assignments.



Application Roles are specific to an application registered in Azure AD. Role Assignments collection for that application can be read by going through the service principal for that application in the tenant.



Azure AD Graph API



App Roles



var app = activeDirectoryClient.Applications["<applicationObjectId>"].ExecuteAsync().Result;
var appRoles = app.AppRoles;


App Role Assignments



ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(new Uri("https://graph.windows.net/<tenantGuid>"),
async () => await GetTokenForApplication());

var servicePrincipal = activeDirectoryClient.ServicePrincipals.Where(x => x.AppId == "<applicationId>").ExecuteAsync().Result.CurrentPage[0];
var appRoleAssignments = activeDirectoryClient.ServicePrincipals[servicePrincipal.ObjectId].AppRoleAssignedTo.ExecuteAsync().Result;
int userCountForApp = 0;
foreach(var appRoleAssignment in appRoleAssignments.CurrentPage)

 if (appRoleAssignment.PrincipalType == "User")
 
 userCountForApp++;
 Console.WriteLine("Role Id = 0 and User Name = 1", appRoleAssignment.Id, appRoleAssignment.PrincipalDisplayName);



Microsoft Graph API



The ability to read all application specific roles assigned to a user (i.e. AppRoleAssignments) is only available as part of Microsoft Graph API beta endpoint. So it's not stable enough to be used in production code and you won't find Client SDK support for C#. Read more specific points in this SO Post by Marc LaFleur



Here are the relevant API's though:



  • AppRoleAssignments

  • AppRoles





share|improve this answer

























  • What package I need to install to get ActiveDirectoryClient? The class which I have is GraphConnection and that doesn't seem to have Applications property.

    – FIre Panda
    Mar 11 at 21:47











  • Also, when I try to call graph.microsoft.com/v1.0/deviceManagement/roleDefinitions using graph explorer, I am getting Request not appliccable to target tenant.

    – FIre Panda
    Mar 11 at 23:20











  • @FIrePanda Microsoft.Azure.ActiveDirectory.GraphClient nuget package to work with Azure AD Graph API and use ActiveDirectoryClient class. Microsoft.Graph package to work with Microsoft Graph API and use GraphServiceClient class. Also, can you please clarify which roles you're interested in? Directory roles assigned to users or some registered Application specific roles assigned to users?

    – Rohit Saigal
    Mar 11 at 23:31












  • So, what is the difference between directory roles and app roles?

    – FIre Panda
    Mar 12 at 20:03






  • 1





    I think my comment about Pagination is for AppRoleAssignments collection as that's what I was working on first while answering, but later realized you're probably looking for directory roles.. take a look at the code where I use foreach(var appRoleAssignment in appRoleAssignments.CurrentPage) Docs link you have for paging about directory roles seems valid.. also AFAIK number of directory role templates is pretty small, so no paging would make sense.

    – Rohit Saigal
    Mar 25 at 23:15















1














Directory Roles - Finding all directory roles and count of their members for tenant



I have given sample code for both Microsoft Graph API (https://graph.microsoft.com) as well as Azure AD Graph API (https://graph.windows.net), but it would be strongly recommended to use newer Microsoft Graph API unless there is something specific that you aren't able to get from it and only then look at Azure AD Graph API.



Look here for more detailed comparisons Microsoft Graph or Azure AD Graph



Here are nuget package and class details, as you've asked in comments:



  • Microsoft.Graph nuget package - to work with Microsoft Graph API and use GraphServiceClient class.


  • Microsoft.Azure.ActiveDirectory.GraphClient nuget package - to work with Azure AD Graph API and use ActiveDirectoryClient class.


Microsoft Graph API



API's - List directoryRoles and List members



var roles = await graphServiceClient.DirectoryRoles.Request().GetAsync();

var members = graphServiceClient.DirectoryRoles[role.Id].Members.Request().GetAsync();


Azure AD Graph API



API's - Get Directory Roles and Get a directory role's members



var directoryRoles = activeDirectoryClient.DirectoryRoles.ExecuteAsync();

var members = await activeDirectoryClient.DirectoryRoles[role.ObjectId].Members.ExecuteAsync();


NOTE: While testing code I also noticed a slight difference in behavior of the 2 API's. Microsoft Graph only returns Users when you ask for members of a directory role. Azure AD Graph on the other hand returned both users and service principals. See my code for a special check in case of Azure AD Graph.



Also note that many of the results you get will be paginated collections, so you may need to handle pagination in case of multiple pages of results.



Application Roles - Finding all Application Roles for an application and then finding Number of users through App Role Assignments.



Application Roles are specific to an application registered in Azure AD. Role Assignments collection for that application can be read by going through the service principal for that application in the tenant.



Azure AD Graph API



App Roles



var app = activeDirectoryClient.Applications["<applicationObjectId>"].ExecuteAsync().Result;
var appRoles = app.AppRoles;


App Role Assignments



ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(new Uri("https://graph.windows.net/<tenantGuid>"),
async () => await GetTokenForApplication());

var servicePrincipal = activeDirectoryClient.ServicePrincipals.Where(x => x.AppId == "<applicationId>").ExecuteAsync().Result.CurrentPage[0];
var appRoleAssignments = activeDirectoryClient.ServicePrincipals[servicePrincipal.ObjectId].AppRoleAssignedTo.ExecuteAsync().Result;
int userCountForApp = 0;
foreach(var appRoleAssignment in appRoleAssignments.CurrentPage)

 if (appRoleAssignment.PrincipalType == "User")
 
 userCountForApp++;
 Console.WriteLine("Role Id = 0 and User Name = 1", appRoleAssignment.Id, appRoleAssignment.PrincipalDisplayName);



Microsoft Graph API



The ability to read all application specific roles assigned to a user (i.e. AppRoleAssignments) is only available as part of Microsoft Graph API beta endpoint. So it's not stable enough to be used in production code and you won't find Client SDK support for C#. Read more specific points in this SO Post by Marc LaFleur



Here are the relevant API's though:



  • AppRoleAssignments

  • AppRoles





share|improve this answer

























  • What package I need to install to get ActiveDirectoryClient? The class which I have is GraphConnection and that doesn't seem to have Applications property.

    – FIre Panda
    Mar 11 at 21:47











  • Also, when I try to call graph.microsoft.com/v1.0/deviceManagement/roleDefinitions using graph explorer, I am getting Request not appliccable to target tenant.

    – FIre Panda
    Mar 11 at 23:20











  • @FIrePanda Microsoft.Azure.ActiveDirectory.GraphClient nuget package to work with Azure AD Graph API and use ActiveDirectoryClient class. Microsoft.Graph package to work with Microsoft Graph API and use GraphServiceClient class. Also, can you please clarify which roles you're interested in? Directory roles assigned to users or some registered Application specific roles assigned to users?

    – Rohit Saigal
    Mar 11 at 23:31












  • So, what is the difference between directory roles and app roles?

    – FIre Panda
    Mar 12 at 20:03






  • 1





    I think my comment about Pagination is for AppRoleAssignments collection as that's what I was working on first while answering, but later realized you're probably looking for directory roles.. take a look at the code where I use foreach(var appRoleAssignment in appRoleAssignments.CurrentPage) Docs link you have for paging about directory roles seems valid.. also AFAIK number of directory role templates is pretty small, so no paging would make sense.

    – Rohit Saigal
    Mar 25 at 23:15













1












1








1







Directory Roles - Finding all directory roles and count of their members for tenant



I have given sample code for both Microsoft Graph API (https://graph.microsoft.com) as well as Azure AD Graph API (https://graph.windows.net), but it would be strongly recommended to use newer Microsoft Graph API unless there is something specific that you aren't able to get from it and only then look at Azure AD Graph API.



Look here for more detailed comparisons Microsoft Graph or Azure AD Graph



Here are nuget package and class details, as you've asked in comments:



  • Microsoft.Graph nuget package - to work with Microsoft Graph API and use GraphServiceClient class.


  • Microsoft.Azure.ActiveDirectory.GraphClient nuget package - to work with Azure AD Graph API and use ActiveDirectoryClient class.


Microsoft Graph API



API's - List directoryRoles and List members



var roles = await graphServiceClient.DirectoryRoles.Request().GetAsync();

var members = graphServiceClient.DirectoryRoles[role.Id].Members.Request().GetAsync();


Azure AD Graph API



API's - Get Directory Roles and Get a directory role's members



var directoryRoles = activeDirectoryClient.DirectoryRoles.ExecuteAsync();

var members = await activeDirectoryClient.DirectoryRoles[role.ObjectId].Members.ExecuteAsync();


NOTE: While testing code I also noticed a slight difference in behavior of the 2 API's. Microsoft Graph only returns Users when you ask for members of a directory role. Azure AD Graph on the other hand returned both users and service principals. See my code for a special check in case of Azure AD Graph.



Also note that many of the results you get will be paginated collections, so you may need to handle pagination in case of multiple pages of results.



Application Roles - Finding all Application Roles for an application and then finding Number of users through App Role Assignments.



Application Roles are specific to an application registered in Azure AD. Role Assignments collection for that application can be read by going through the service principal for that application in the tenant.



Azure AD Graph API



App Roles



var app = activeDirectoryClient.Applications["<applicationObjectId>"].ExecuteAsync().Result;
var appRoles = app.AppRoles;


App Role Assignments



ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(new Uri("https://graph.windows.net/<tenantGuid>"),
async () => await GetTokenForApplication());

var servicePrincipal = activeDirectoryClient.ServicePrincipals.Where(x => x.AppId == "<applicationId>").ExecuteAsync().Result.CurrentPage[0];
var appRoleAssignments = activeDirectoryClient.ServicePrincipals[servicePrincipal.ObjectId].AppRoleAssignedTo.ExecuteAsync().Result;
int userCountForApp = 0;
foreach(var appRoleAssignment in appRoleAssignments.CurrentPage)

 if (appRoleAssignment.PrincipalType == "User")
 
 userCountForApp++;
 Console.WriteLine("Role Id = 0 and User Name = 1", appRoleAssignment.Id, appRoleAssignment.PrincipalDisplayName);



Microsoft Graph API



The ability to read all application specific roles assigned to a user (i.e. AppRoleAssignments) is only available as part of Microsoft Graph API beta endpoint. So it's not stable enough to be used in production code and you won't find Client SDK support for C#. Read more specific points in this SO Post by Marc LaFleur



Here are the relevant API's though:



  • AppRoleAssignments

  • AppRoles





share|improve this answer















Directory Roles - Finding all directory roles and count of their members for tenant



I have given sample code for both Microsoft Graph API (https://graph.microsoft.com) as well as Azure AD Graph API (https://graph.windows.net), but it would be strongly recommended to use newer Microsoft Graph API unless there is something specific that you aren't able to get from it and only then look at Azure AD Graph API.



Look here for more detailed comparisons Microsoft Graph or Azure AD Graph



Here are nuget package and class details, as you've asked in comments:



  • Microsoft.Graph nuget package - to work with Microsoft Graph API and use GraphServiceClient class.


  • Microsoft.Azure.ActiveDirectory.GraphClient nuget package - to work with Azure AD Graph API and use ActiveDirectoryClient class.


Microsoft Graph API



API's - List directoryRoles and List members



var roles = await graphServiceClient.DirectoryRoles.Request().GetAsync();

var members = graphServiceClient.DirectoryRoles[role.Id].Members.Request().GetAsync();


Azure AD Graph API



API's - Get Directory Roles and Get a directory role's members



var directoryRoles = activeDirectoryClient.DirectoryRoles.ExecuteAsync();

var members = await activeDirectoryClient.DirectoryRoles[role.ObjectId].Members.ExecuteAsync();


NOTE: While testing code I also noticed a slight difference in behavior of the 2 API's. Microsoft Graph only returns Users when you ask for members of a directory role. Azure AD Graph on the other hand returned both users and service principals. See my code for a special check in case of Azure AD Graph.



Also note that many of the results you get will be paginated collections, so you may need to handle pagination in case of multiple pages of results.



Application Roles - Finding all Application Roles for an application and then finding Number of users through App Role Assignments.



Application Roles are specific to an application registered in Azure AD. Role Assignments collection for that application can be read by going through the service principal for that application in the tenant.



Azure AD Graph API



App Roles



var app = activeDirectoryClient.Applications["<applicationObjectId>"].ExecuteAsync().Result;
var appRoles = app.AppRoles;


App Role Assignments



ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(new Uri("https://graph.windows.net/<tenantGuid>"),
async () => await GetTokenForApplication());

var servicePrincipal = activeDirectoryClient.ServicePrincipals.Where(x => x.AppId == "<applicationId>").ExecuteAsync().Result.CurrentPage[0];
var appRoleAssignments = activeDirectoryClient.ServicePrincipals[servicePrincipal.ObjectId].AppRoleAssignedTo.ExecuteAsync().Result;
int userCountForApp = 0;
foreach(var appRoleAssignment in appRoleAssignments.CurrentPage)

 if (appRoleAssignment.PrincipalType == "User")
 
 userCountForApp++;
 Console.WriteLine("Role Id = 0 and User Name = 1", appRoleAssignment.Id, appRoleAssignment.PrincipalDisplayName);



Microsoft Graph API



The ability to read all application specific roles assigned to a user (i.e. AppRoleAssignments) is only available as part of Microsoft Graph API beta endpoint. So it's not stable enough to be used in production code and you won't find Client SDK support for C#. Read more specific points in this SO Post by Marc LaFleur



Here are the relevant API's though:



  • AppRoleAssignments

  • AppRoles






share|improve this answer














share|improve this answer



share|improve this answer








edited Mar 11 at 23:37

























answered Mar 9 at 5:52









Rohit SaigalRohit Saigal

4,3872219




4,3872219












  • What package I need to install to get ActiveDirectoryClient? The class which I have is GraphConnection and that doesn't seem to have Applications property.

    – FIre Panda
    Mar 11 at 21:47











  • Also, when I try to call graph.microsoft.com/v1.0/deviceManagement/roleDefinitions using graph explorer, I am getting Request not appliccable to target tenant.

    – FIre Panda
    Mar 11 at 23:20











  • @FIrePanda Microsoft.Azure.ActiveDirectory.GraphClient nuget package to work with Azure AD Graph API and use ActiveDirectoryClient class. Microsoft.Graph package to work with Microsoft Graph API and use GraphServiceClient class. Also, can you please clarify which roles you're interested in? Directory roles assigned to users or some registered Application specific roles assigned to users?

    – Rohit Saigal
    Mar 11 at 23:31












  • So, what is the difference between directory roles and app roles?

    – FIre Panda
    Mar 12 at 20:03






  • 1





    I think my comment about Pagination is for AppRoleAssignments collection as that's what I was working on first while answering, but later realized you're probably looking for directory roles.. take a look at the code where I use foreach(var appRoleAssignment in appRoleAssignments.CurrentPage) Docs link you have for paging about directory roles seems valid.. also AFAIK number of directory role templates is pretty small, so no paging would make sense.

    – Rohit Saigal
    Mar 25 at 23:15

















  • What package I need to install to get ActiveDirectoryClient? The class which I have is GraphConnection and that doesn't seem to have Applications property.

    – FIre Panda
    Mar 11 at 21:47











  • Also, when I try to call graph.microsoft.com/v1.0/deviceManagement/roleDefinitions using graph explorer, I am getting Request not appliccable to target tenant.

    – FIre Panda
    Mar 11 at 23:20











  • @FIrePanda Microsoft.Azure.ActiveDirectory.GraphClient nuget package to work with Azure AD Graph API and use ActiveDirectoryClient class. Microsoft.Graph package to work with Microsoft Graph API and use GraphServiceClient class. Also, can you please clarify which roles you're interested in? Directory roles assigned to users or some registered Application specific roles assigned to users?

    – Rohit Saigal
    Mar 11 at 23:31












  • So, what is the difference between directory roles and app roles?

    – FIre Panda
    Mar 12 at 20:03






  • 1





    I think my comment about Pagination is for AppRoleAssignments collection as that's what I was working on first while answering, but later realized you're probably looking for directory roles.. take a look at the code where I use foreach(var appRoleAssignment in appRoleAssignments.CurrentPage) Docs link you have for paging about directory roles seems valid.. also AFAIK number of directory role templates is pretty small, so no paging would make sense.

    – Rohit Saigal
    Mar 25 at 23:15
















What package I need to install to get ActiveDirectoryClient? The class which I have is GraphConnection and that doesn't seem to have Applications property.

– FIre Panda
Mar 11 at 21:47





What package I need to install to get ActiveDirectoryClient? The class which I have is GraphConnection and that doesn't seem to have Applications property.

– FIre Panda
Mar 11 at 21:47













Also, when I try to call graph.microsoft.com/v1.0/deviceManagement/roleDefinitions using graph explorer, I am getting Request not appliccable to target tenant.

– FIre Panda
Mar 11 at 23:20





Also, when I try to call graph.microsoft.com/v1.0/deviceManagement/roleDefinitions using graph explorer, I am getting Request not appliccable to target tenant.

– FIre Panda
Mar 11 at 23:20













@FIrePanda Microsoft.Azure.ActiveDirectory.GraphClient nuget package to work with Azure AD Graph API and use ActiveDirectoryClient class. Microsoft.Graph package to work with Microsoft Graph API and use GraphServiceClient class. Also, can you please clarify which roles you're interested in? Directory roles assigned to users or some registered Application specific roles assigned to users?

– Rohit Saigal
Mar 11 at 23:31






@FIrePanda Microsoft.Azure.ActiveDirectory.GraphClient nuget package to work with Azure AD Graph API and use ActiveDirectoryClient class. Microsoft.Graph package to work with Microsoft Graph API and use GraphServiceClient class. Also, can you please clarify which roles you're interested in? Directory roles assigned to users or some registered Application specific roles assigned to users?

– Rohit Saigal
Mar 11 at 23:31














So, what is the difference between directory roles and app roles?

– FIre Panda
Mar 12 at 20:03





So, what is the difference between directory roles and app roles?

– FIre Panda
Mar 12 at 20:03




1




1





I think my comment about Pagination is for AppRoleAssignments collection as that's what I was working on first while answering, but later realized you're probably looking for directory roles.. take a look at the code where I use foreach(var appRoleAssignment in appRoleAssignments.CurrentPage) Docs link you have for paging about directory roles seems valid.. also AFAIK number of directory role templates is pretty small, so no paging would make sense.

– Rohit Saigal
Mar 25 at 23:15





I think my comment about Pagination is for AppRoleAssignments collection as that's what I was working on first while answering, but later realized you're probably looking for directory roles.. take a look at the code where I use foreach(var appRoleAssignment in appRoleAssignments.CurrentPage) Docs link you have for paging about directory roles seems valid.. also AFAIK number of directory role templates is pretty small, so no paging would make sense.

– Rohit Saigal
Mar 25 at 23:15



















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55071897%2frole-count-using-graph-api-against-a-tenant%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Identity Server 4 is not redirecting to Angular app after login2019 Community Moderator ElectionIdentity Server 4 and dockerIdentityserver implicit flow unauthorized_clientIdentityServer Hybrid Flow - Access Token is null after user successful loginIdentity Server to MVC client : Page Redirect After loginLogin with Steam OpenId(oidc-client-js)Identity Server 4+.NET Core 2.0 + IdentityIdentityServer4 post-login redirect not working in Edge browserCall to IdentityServer4 generates System.NullReferenceException: Object reference not set to an instance of an objectIdentityServer4 without HTTPS not workingHow to get Authorization code from identity server without login form

Image
How to make healing in an exploration game interesting What's the meaning of “spike” in the context of “adrenaline spike”? Welcoming 2019 Pi day: How to draw the letter π? Do I need life insurance if I can cover my own funeral costs? What do Xenomorphs eat in the Alien series? Python if-else code style for reduced code for rounding floats My adviser wants to be the first author Do I need to get involved in office politics to get ahead? Why one should not leave fingerprints on bulbs and plugs? How to change two letters closest to a string and one letter immediately after a string using notepad++ Why doesn't the EU now just force the UK to choose between referendum and no-deal? How to deal with taxi scam when on vacation? Recruiter wants very extensive technical details about all of my previous work What is the least resource intensive way to generate the luatex font cache for a new font? How Could an Airship Be Repaired Mid-Flight Why did it take so
Read more

2005 Ahvaz unrest Contents Background Causes Casualties Aftermath See also References Navigation menue"At Least 10 Are Killed by Bombs in Iran""Iran"Archived"Arab-Iranians in Iran to make April 15 'Day of Fury'"State of Mind, State of Order: Reactions to Ethnic Unrest in the Islamic Republic of Iran.10.1111/j.1754-9469.2008.00028.x"Iran hangs Arab separatists"Iran Overview from ArchivedConstitution of the Islamic Republic of Iran"Tehran puzzled by forged 'riots' letter""Iran and its minorities: Down in the second class""Iran: Handling Of Ahvaz Unrest Could End With Televised Confessions""Bombings Rock Iran Ahead of Election""Five die in Iran ethnic clashes""Iran: Need for restraint as anniversary of unrest in Khuzestan approaches"Archived"Iranian Sunni protesters killed in clashes with security forces"Archived

Image
Sheikh Khazal (1924)Unrest (1925)Unrest (1928)Unrest (1940)1943 revolt1945 revoltInsurgency (1956-70)Insurgency (1979)Embassy siege (1980)Unrest (2005)2005–06 Ahvaz bombingsDay of Rage (2011)Uprising of Dignity (2018) Arab rebellionsProtests in Iran2005 riotsPolitical riots2005 in IranAhvazKhuzestan conflictHuman rights in IranAhwazi Arabs Iranian ArabsAhvazKhuzestanbombingsPersian GulfKhuzestanShadeganHoveyzehSusangerdMahshahrKhorramshahrAbadanAhvazConstitution of IranPersianofficial languageconstitution of the Islamic RepublicconstitutionIranian ArabsAmnesty InternationalConstitution of the Islamic Republic of IranMohammad-Ali AbtahiMohammad KhatamiAmnesty InternationalAli ShamkhaniAhvazIranian ArabsprotestAhvazNobel Peace PrizeShirin Ebadi 2005 Ahvaz unrest Part of Arab separatism in Khuzestan Iranian Khuzestan province Date 15–18 April 2005 Methods demonstrations, riots Status Unrest quelled Parties to the civil conflict Iranian Arabs Iranian Government Lead figures Ali Khamen
Read more

Can't initialize raids on a new ASUS Prime B360M-A motherboard2019 Community Moderator ElectionSimilar to RAID config yet more like mirroring solution?Can't get motherboard serial numberWhy does the BIOS entry point start with a WBINVD instruction?UEFI performance Asus Maximus V Extreme

Image
"One can do his homework in the library" Why does Deadpool say "You're welcome, Canada," after shooting Ryan Reynolds in the end credits? Potential difference and current flow It's a yearly task, alright Co-worker team leader wants to inject the crap software product of his friends into our development. What should I say to our common boss? Touchscreen-controlled dentist office snowman collector game What to do when during a meeting client people start to fight (even physically) with each others? What options are left, if Britain cannot decide? How could our ancestors have domesticated a solitary predator? Professor being mistaken for a grad student When two POV characters meet Replacing Windows 7 security updates with anti-virus? What has been your most complicated TikZ drawing? Can the word "advantage" be used as an adjective? How could a female member of a species produce eggs unto death? Can the druid cantrip Thorn
Read more