Is there a better way to do this? I want to return the AD groups that are assigned to an Azure AD application. I can find a lot of information on looking at the assigned roles, but not the groups.
The code below, looks at all AD groups first and then ultimately checks the application to see if they are applied. Is there a way to check the application directly?
$ApplicationName = "<NameOfApp>"
$ADGroupList = Get-AzureADGroup -All 1 | Where-Object { $_.DisplayName.Contains('<search string>') } #Find ALL groups that contain search text
#Loop through each group in list and output ObjectID, ResourceDisplayName, and PrincipalDisplayName for each that is assigned to the specified application
ForEach ($group in $ADGroupList){ #Each group in list
Get-AzureADGroupAppRoleAssignment -ObjectId $group.ObjectID | Where-Object { $_.ResourceDisplayName -eq $ApplicationName }
}
The cmdlet for checking a service principal application role assignment is Get-AzureADServiceAppRoleAssignment.
A sample here: