Get-MgUserAppRoleAssignmentCount: Graph PowerShell Cmdlet
In Microsoft Entra ID, users can be assigned application roles (app roles) to access enterprise applications. While listing every assignment is useful, many scenarios only require a quick count of how many app role assignments a user has.
The Get-MgUserAppRoleAssignmentCount cmdlet is designed for this purpose—it returns a numeric count of app role assignments for a given user, making it lightweight and ideal for audits, reporting, and automation.
🚀 Community Edition Released!
Try the M365Corner Microsoft 365 Reporting Tool — your DIY pack with 20+ out-of-the-box M365 reports for Users, Groups, and Teams.
i) Cmdlet Syntax
Get-MgUserAppRoleAssignmentCount -UserId <String> [-ConsistencyLevel <String>]Key Parameter:
- -UserId: Specifies the user whose app role assignments you want to count.
You can provide a User Principal Name (UPN) or the Object ID. - -ConsistencyLevel: Required for advanced queries. Typically set to eventual.
ii) Usage Examples
Example 1: Providing UserId when prompted by the console
Get-MgUserAppRoleAssignmentCountExplanation:
When the cmdlet is run without explicitly providing -UserId, the console prompts you to enter the user identifier. After input, it returns the total number of app role assignments for that user.
Example 2: Directly passing UserId with ConsistencyLevel header
Get-MgUserAppRoleAssignmentCount ` -UserId tks@w4l0s.onmicrosoft.com ` -ConsistencyLevel EventualExplanation:
Returns the total count of app role assignments for the specified user, explicitly passing the user principal name and setting the required consistency level to ensure the query succeeds.
Example 3: Exporting the results to CSV
Get-MgUserAppRoleAssignmentCount ` -UserId tks@w4l0s.onmicrosoft.com ` -ConsistencyLevel Eventual | Export-CSV "d:/approleassignments2.csv"Explanation:
Exports the numeric result to a CSV file. This is useful when collecting counts across users for reporting or audit documentation.
iii) Cmdlet Tips
- This cmdlet returns only a number, not detailed assignment objects.
Use Get-MgUserAppRoleAssignment if you need assignment details. - Always use -ConsistencyLevel Eventual to avoid query failures.
- Supports both UPN and Object ID for the -UserId parameter.
- Ideal for large tenants, as counting is significantly faster than enumerating all assignments.
iv) Possible Errors & Solutions
| Error / Message | Cause | Solution |
| Request_UnsupportedQuery | Missing consistency level | Re-run the command with -ConsistencyLevel Eventual. |
| Authorization_RequestDenied | Insufficient permissions | Ensure AppRoleAssignment.Read.All or Directory.Read.All is granted. |
| ResourceNotFound | Invalid UserId | Verify the user’s UPN or object ID. |
| Output is 0 unexpectedly | User has no direct app role assignments | Confirm whether access is granted via group-based assignments instead. |
| Cmdlet not recognized | Microsoft.Graph module missing | Install or update using Install-Module Microsoft.Graph. |
v) Conclusion
The Get-MgUserAppRoleAssignmentCount cmdlet provides a fast and efficient way to determine how many application roles are assigned to a user in Microsoft Entra ID. By returning only a count, it reduces overhead and is well suited for audits, governance checks, and automation workflows where performance and simplicity matter.