
Get the App roles assigned to the specified object
Get the App roles assigned to the specified object
.PARAMETER ServicePrincipalId
Specify by the Service Principal
Specify by any object ID
Specify the Object type based on Object id specified
Specify the User
Get-AadAppRolesByObject -ServicePrincipalId 'Contoso App'
ResourceDisplayName : Microsoft Graph
ResourcePermission : User.ReadWrite.All
DirectAssignment : True
GetsAssignmentBy :
Id : ef7d1fa9-1e37-48fd-bb58-ad10a78cbd18
General notes

function Get-AadAppRolesByObject {
        [Parameter(mandatory=$true, ParameterSetName="ByServicePrincipalId")]

        [Parameter(mandatory=$true, ParameterSetName="ByObjectId")]


        [Parameter(mandatory=$true, ParameterSetName="ByUserId")]

    if($ObjectId -and -not $ObjectType)
        $ObjectType = (
            Invoke-AadCommand -Command {
                Get-AzureADObjectByObjectId -ObjectIds $ObjectId
            } -Parameters $ObjectId

        $sp = (Get-AadServicePrincipal -Id $ServicePrincipalId)
        $ObjectId = $sp.ObjectId

        if($sp.count -gt 1)
            throw "'$ServicePrincipalId' query returned more than one result. Please provide a unique Service Principal Identifier"

        if(-not $ObjectId)
            throw "'$ServicePrincipalId' not found in '$TenantDomain'"

        $ObjectType = "ServicePrincipal"

    $TenantDomain = $Global:AadSupport.Session.TenantDomain

    $AppRoleList = @()

    if($ObjectType -eq "ServicePrincipal")
        $AppRoles = Invoke-AadCommand -Command {
            Get-AzureADServiceAppRoleAssignedTo -ObjectId $ObjectId
        } -Parameters $ObjectId

        $User = (
            Invoke-AadCommand -Command {
                Get-AzureADUser -ObjectId $UserId
            } -Parameters $UserId

        $ObjectId = $User.ObjectId

        if(-not $ObjectId)
            throw "'$UserId' not found in '$TenantDomain'"

        $ObjectType = "User"

    if($ObjectType -eq "User")
        $AppRoles = Invoke-AadCommand -Command {
            Get-AzureADUserAppRoleAssignment -ObjectId $ObjectId
        } -Parameters $ObjectId

    foreach ($AppRole in $AppRoles) {
        if($ObjectId -eq $AppRole.PrincipalId)
            $DirectAssignment = $true
        else {
            $DirectAssignment = $false
            $GetsAssignmentBy = "$($AppRole.PrincipalDisplayName) ($($AppRole.PrincipalId))"

        $resource = (
            Invoke-AadCommand -Command {
                Get-AzureADServicePrincipal -ObjectId $AppRole.ResourceId
            } -Parameters $AppRole
        ).AppRoles | Where-Object { $_.Id -eq $AppRole.Id }

        $AppRoleList += [PSCustomObject]@{
            ResourceDisplayName = $AppRole.ResourceDisplayName;
            ResourcePermission = $resource.Value
            DirectAssignment = $DirectAssignment
            GetsAssignmentBy = $GetsAssignmentBy
            Id = $AppRole.PrincipalId   

    # Output App Roles

    return $AppRoleList