This post was most recently updated on February 4th, 2019.
Have you ever tried to find out the number of users of an enterprise application in your Office 365 tenant? This could be needed for multiple different reasons: maybe your organization is paying for the app and you want to know who’s actually using it, maybe the usage is required by a company policy and it’s useful to know if organization’s members are actually using it, or maybe you just want to know about the user adoption of an app.
For apps with under 100 users it’s easy – just open Azure AD and check the user count. For more popular apps, it’s a lot more difficult, however. Azure AD just shows “100+”, which is weirdly useless. However, with some PowerShell magic, we can dig out the real user count!
When you have an “Enterprise Application” in your Azure AD, you can quite easily access its properties from the Azure Portal. However, if you want to find out the number of users using the app, that’s not as straightforward.
Even for less popular apps, you’ll have to be using the right Azure AD instance (there are usually multiple Azure AD instances/directories associated with your Office 365 subscription!) and have permissions to access the Azure portal. If you’re using the app to access data in SharePoint Online, see this page on how to access the right Azure AD instance.
For more popular apps (with more than a hundred users), Azure AD will just show “100+” as the user count. It appears you cannot get the actual user count by using the Azure Portal web UI. An interesting solution by Microsoft, that’s for sure!
Solution: Use PowerShell to get Azure AD user count for the application’s Service Principal
You can luckily achieve this pretty easily with PowerShell! I have a couple of different scripted approaches to show you.
The following scripts get the AAD Service Principal for the Enterprise Application, and counts its assignments to different users.
Wait, what – where did the service principal come from?
Since Enterprise Applications are actually registered at another directory (the one their publisher uses), your Azure AD instance just provisions service principals for them in your directory, adds required permissions to these principals, and then assigns users to these service principals.
We can get the actual user count by counting the number of these assignments. By default, this is equivalent to users, who’ve used the app at least once. In some cases it’s possible that someone has assigned users to it otherwise (programmatically or by using a script before).
These next few lines of some PowerShell magic should do the trick.
Or, like Nathan in the comments points out, you can do this with a one-liner like this:
Get-AzureADServicePrincipal -searchstring "[app display name]" | Get-AzureADServiceAppRoleAssignment | measure # So, for example you can run this: Get-AzureADServicePrincipal -searchstring "Office 365 SharePoint Online" | Get-AzureADServiceAppRoleAssignment | measure
The example command above on my test tenant outputs this: