🔐 Recipe · Entra ID & Identity

List Users Assigned to an Enterprise Application in Entra ID

Enumerate every user (and group) granted access to a specific enterprise app via the service principal's app role assignments

Complexity

Beginner

Impact

access-review + audit + read-only + identity

Context

Why This Matters

Why this matters

Enterprise applications in Entra ID (such as Workday, Salesforce, ServiceNow, or any SAML/OIDC SaaS app) are exposed to end users through app role assignments on the application's service principal. Knowing exactly who is assigned to an app is a foundational access review task.

Common triggers

Access reviews and audit/compliance evidence (SOX, SOC 2, ISO 27001).
License reconciliation — matching Entra assignments to SaaS vendor seat counts.
Offboarding verification — confirming a departing user has been removed from sensitive apps.
Troubleshooting "I can't see the app in My Apps" complaints.
Pre-migration inventory before changing group-based assignment or SSO configuration.

Because many tenants have multiple service principals with similar names (e.g. several Workday entries for SSO, provisioning, and companion apps), a correct listing first requires disambiguating which service principal you mean.

Expected Outcomes

After running this recipe you will have

The objectId (service principal ID) and appId of the target enterprise application.
A complete list of directly assigned principals — users, groups, and service principals — with display name, principal type, and object ID.
Optionally, the fully expanded roster of users when groups are assigned (by recursively expanding group membership).
Exportable output (CSV/JSON) suitable for access-review evidence or ticket attachments.

Risks & Considerations

Warnings and gotchas

Group assignments hide users. appRoleAssignedTo returns the assigned principal. If a group is assigned, you will see the group — not its members. Expand group membership separately if you need the user-level roster.
"Assignment required" setting matters. If the service principal has appRoleAssignmentRequired = false, users may sign in without an explicit assignment. The assignment list is then not an authoritative list of actual users.
Multiple service principals with similar names. Gallery apps often create companion service principals (e.g. Workday, Workday - Absence Calendar Integration, Workday Peakon Employee Voice). Confirm the appId before assuming you've picked the right one.
Deleted/orphaned principals. Assignments may reference principals that no longer exist; handle gracefully.
Do not modify assignments while enumerating. Treat this as a read-only task; any cleanup should be a separate, reviewed change.
Data sensitivity. Assignment rosters can reveal org structure — store exports per your data-handling policy.

Required Permissions

Permission	Why It's Needed
Application.Read.All	Read service principal and app role assignment data for all enterprise applications.
Directory.Read.All	Resolve assigned principals (users, groups, service principals) and expand group membership.
User.Read.All	Retrieve user details (UPN, mail, accountEnabled) when enriching the output.
GroupMember.Read.All	Expand group-based assignments to the underlying user roster (optional).

The fastest way to get this done — just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

List every user assigned to the {app_name} enterprise application in Entra ID. Disambiguate if multiple service principals match the name, expand any assigned groups to their user members, and return a deduplicated roster with UPN, mail, account status, and whether the assignment is direct or via a group.

Try in Dex CoAdmin