For an inventory script, I use servicePrincipals?$expand=appRoleAssignedTo to get all serviceprinciples including “approleassignedTo” info.

To make an inventory of the approle assignments, I loop through all apps (~2250) and for each app, I loop through approles, and foreach approle I loop through appRoleAssignedTo data.

In my environment this results in ~3000 approle assignments.

When I analyze the result, I estimate 5% of role assignments are missing.
I do see all roles, just not all roleassignments. When I look up a missing assignments in the Entra portal I do see them.
The missing role assignment aren’t special, they are assigned to normal Entra ID groups like other assigned approles.

When I rerun the script, the same assignments are missing each time.

When I don’t use $expand query parameter, but query the data directly using ‘servicePrincipals/{id}/appRoleAssignedTo’, I do get all assignments.

Did I run into a bug?

​For an inventory script, I use servicePrincipals?$expand=appRoleAssignedTo to get all serviceprinciples including “approleassignedTo” info.To make an inventory of the approle assignments, I loop through all apps (~2250) and for each app, I loop through approles, and foreach approle I loop through appRoleAssignedTo data.In my environment this results in ~3000 approle assignments. When I analyze the result, I estimate 5% of role assignments are missing.I do see all roles, just not all roleassignments. When I look up a missing assignments in the Entra portal I do see them.The missing role assignment aren’t special, they are assigned to normal Entra ID groups like other assigned approles. When I rerun the script, the same assignments are missing each time. When I don’t use $expand query parameter, but query the data directly using ‘servicePrincipals/{id}/appRoleAssignedTo’, I do get all assignments. Did I run into a bug?  Read More

​