List Entra Apps with No Assigned Roles
Application roles (AppRoles) play a crucial role in defining authorization within Entra ID applications. Apps without roles may indicate incomplete configuration, lack of proper access control, or potential governance gaps.
This script helps administrators identify applications that do not have any AppRoles defined/assigned, enabling better governance and security posture.
π Community Edition Released!
Try the M365Corner Microsoft 365 Reporting Tool β your DIY pack with 20+ out-of-the-box M365 reports for Users, Groups, and Teams.
i) Script
# Connect to Microsoft Graph
Connect-MgGraph -Scopes Application.Read.All
Write-Host "Scanning applications for missing app roles..." -ForegroundColor Cyan
# Get all applications with AppRoles property
$Applications = Get-MgApplication -All -Property Id,DisplayName,AppId,CreatedDateTime,Description,AppRoles
$Results = @()
foreach ($App in $Applications) {
# Check if AppRoles exist
if (-not $App.AppRoles -or $App.AppRoles.Count -eq 0) {
# Console output (minimal)
Write-Host "$($App.DisplayName) | $($App.AppId)" -ForegroundColor Yellow
# Export object (detailed)
$Results += [PSCustomObject]@{
ApplicationName = $App.DisplayName
ApplicationId = $App.Id
ClientId = $App.AppId
CreatedDate = $App.CreatedDateTime
Description = $App.Description
AppRoleStatus = "No App Roles Defined"
}
}
}
# Export results
$ExportPath = "C:\Path\Applications_Without_AppRoles_Report.csv"
$Results | Export-Csv $ExportPath -NoTypeInformation
Write-Host "Report exported to $ExportPath" -ForegroundColor Cyan
Download this script from our M365Corner GitHub Repo: https://github.com/m365corner/M365Corner-Scripts/tree/main/Entra-Apps-Related-Scripts/List-Entra-Apps-With-No-Roles
ii) How the Script Works
| Step | Explanation |
|---|---|
| Connect to Graph | Uses Application.Read.All permission to read application details |
| Fetch Applications | Retrieves all applications along with AppRoles property |
| Iterate Through Apps | Loops through each application in the tenant |
| Check AppRoles | Identifies apps where AppRoles is null or empty |
| Console Output | Displays app name and client ID for quick visibility |
| Build Report Object | Captures key metadata for reporting |
| Export to CSV | Saves the report for auditing and action |
iii) Further Enhancements
Include Owner Details
- Add: Get-MgApplicationOwner
- Helps identify responsible stakeholders
Combine with Permissions Check
- Flag apps with:
- No roles
- High API permissions β potential risk
Filter by Recently Created Apps
- Focus on: CreatedDateTime
- Helps catch misconfigured new apps early
Add Role Assignment Check
- Verify if roles exist but are unused
Automate Reporting
- Schedule weekly audits for governance tracking
iv) Frequently Asked Questions
| Question | Answer |
|---|---|
| What are AppRoles? | They define application-level permissions for users or services |
| Is it bad to have no AppRoles? | Not always, but may indicate incomplete or poorly designed apps |
| Does this script check role assignments? | No, only checks if roles are defined |
| Can I filter specific apps? | Yes, by modifying the loop conditions |
v) Admin Usecases
| Use Case | Description |
|---|---|
| Governance Audits | Identify apps lacking proper role-based access control |
| Security Review | Detect apps with weak authorization design |
| App Cleanup | Remove unused or misconfigured applications |
| Compliance Checks | Ensure apps follow access control standards |
| Development Oversight | Monitor newly created apps for proper configuration |
vi) Possible Errors & Solutions
| Error | Cause | Solution |
|---|---|---|
| Insufficient privileges | Missing Graph permissions |
Use: Connect-MgGraph -Scopes Application.Read.All Grant admin consent if required. |
| No results returned | All applications have roles defined/assigned. |
Validate environment Remove filters if applied |
| AppRoles property missing | Property not included in query | Ensure: -Property AppRoles is included (already handled in script) . |
| Export path not found | Invalid directory |
Update path: C:\Path\Applications_Without_AppRoles_Report.csv Ensure folder exists. |
vii) Conclusion
This script helps identify Entra ID applications that lack AppRoles, providing valuable insight into potential governance and security gaps.
- Improve access control design
- Enforce governance policies
- Eliminate misconfigured or unused apps
Itβs a simple yet effective step toward maintaining a well-structured and secure application environment.