PowerShell header

How to get the user count for Azure AD Enterprise Application

This post was most recently updated on December 12th, 2022.

3 min read.

Have you ever tried to find out the number of users of an enterprise application in your Office 365 tenant? This could be needed for multiple different reasons: maybe your organization is paying for the app and you want to know who’s actually using it, maybe the usage is required by a company policy and it’s useful to know if the organization’s members are actually using it, or maybe you just want to know about the user adoption of an app.

For apps with under 100 users it’s easy – just open Azure AD and check the user count. For more popular apps, it’s a lot more difficult, however. Azure AD just shows “100+“, which is weirdly useless. Doesn’t warm you much, if you’re wondering if you have 200 or 200 000 users for an app in your organization, right?

However, we can dig out the actual user count with some PowerShell magic!

Problem

If you’re not interested in the background stuff, just jump to the solution by clicking this.

When you have an “Enterprise Application” in your Azure AD, you can easily access its properties from the Azure Portal. However, if you want to find out the number of users using the app, that’s not as straightforward.

Even for less popular apps, you’ll have to be using the right Azure AD instance (there are usually multiple Azure AD instances/directories associated with your Office 365 subscription!) and have permission to access the Azure portal. If you’re using the app to access data in SharePoint Online, see this page on how to access the right Azure AD instance.

For more popular apps (with more than a hundred users), Azure AD will just show “100+” as the user count. It appears you cannot get the actual user count by using the Azure Portal web UI. An interesting solution by Microsoft, that’s for sure!

Solution: Use PowerShell to get the Azure AD user count for the application’s Service Principal

You can luckily achieve this pretty easily with PowerShell! I have a couple of different scripted approaches to show you.

The following scripts get the AAD Service Principal for the Enterprise Application and counts its assignments to different users.

Wait, what – where did the service principal come from?

Since Enterprise Applications are actually registered in another directory (the one their publisher uses), your Azure AD instance just provisions service principals for them in your directory adds required permissions to these principals and then assigns users to these service principals.

We can get the actual user count by counting the number of these assignments. By default, this is equivalent to users, who’ve used the app at least once. In some cases, it’s possible that someone has assigned users to it otherwise (programmatically or by using a script before).

These next few lines of some PowerShell magic should do the trick.

How to get the Azure Ad user count for an Enterprise Application:
Connect-AzureAD
$app_name = "[app display name]"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$assignments = Get-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -All $true
$assignments.Count # this row outputs the number of users of the app

Or, like Nathan in the comments points out, you can do this with a one-liner like this:

Get-AzureADServicePrincipal -searchstring "[app display name]" | Get-AzureADServiceAppRoleAssignment | measure

# So, for example you can run this:
Get-AzureADServicePrincipal -searchstring "Office 365 SharePoint Online" | Get-AzureADServiceAppRoleAssignment | measure

The example command above on my test tenant outputs this:

App Role Assignments from the fetched AzureAD Service Principals piped to "measure" -/> outputs count of the principals. And all on one line :)
App Role Assignments from the fetched AzureAD Service Principals piped to “measure” -> outputs count of the principals. And all on one line :)

That’s it. Quick and easy. Hope it helps!


References

mm
5 1 vote
Article Rating
Subscribe
Notify of
guest

3 Comments
most voted
newest oldest
Inline Feedbacks
View all comments