Directory Roles - Finding all directory roles and count of their members for tenant

I have given sample code for both Microsoft Graph API (https://graph.microsoft.com) as well as Azure AD Graph API (https://graph.windows.net), but it would be strongly recommended to use newer Microsoft Graph API unless there is something specific that you aren't able to get from it and only then look at Azure AD Graph API.

Look here for more detailed comparisons Microsoft Graph or Azure AD Graph

Here are nuget package and class details, as you've asked in comments:

• Microsoft.Graph nuget package - to work with Microsoft Graph API and use GraphServiceClient class.

• Microsoft.Azure.ActiveDirectory.GraphClient nuget package - to work with Azure AD Graph API and use ActiveDirectoryClient class.

Microsoft Graph API

API's - List directoryRoles and List members

var roles = await graphServiceClient.DirectoryRoles.Request().GetAsync();

var members = graphServiceClient.DirectoryRoles[role.Id].Members.Request().GetAsync();

Azure AD Graph API

API's - Get Directory Roles and Get a directory role's members

var directoryRoles =  activeDirectoryClient.DirectoryRoles.ExecuteAsync();

var members = await activeDirectoryClient.DirectoryRoles[role.ObjectId].Members.ExecuteAsync();

NOTE: While testing code I also noticed a slight difference in behavior of the 2 API's. Microsoft Graph only returns Users when you ask for members of a directory role. Azure AD Graph on the other hand returned both users and service principals. See my code for a special check in case of Azure AD Graph.

Also note that many of the results you get will be paginated collections, so you may need to handle pagination in case of multiple pages of results.

Application Roles - Finding all Application Roles for an application and then finding Number of users through App Role Assignments.

Application Roles are specific to an application registered in Azure AD. Role Assignments collection for that application can be read by going through the service principal for that application in the tenant.

Azure AD Graph API

App Roles

var app = activeDirectoryClient.Applications["<applicationObjectId>"].ExecuteAsync().Result;
var appRoles = app.AppRoles;

App Role Assignments

ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(new Uri("https://graph.windows.net/<tenantGuid>"),
async () => await GetTokenForApplication());

var servicePrincipal = activeDirectoryClient.ServicePrincipals.Where(x => x.AppId == "<applicationId>").ExecuteAsync().Result.CurrentPage[0];
var appRoleAssignments = activeDirectoryClient.ServicePrincipals[servicePrincipal.ObjectId].AppRoleAssignedTo.ExecuteAsync().Result;
int userCountForApp = 0;
foreach(var appRoleAssignment in appRoleAssignments.CurrentPage)
{
    if (appRoleAssignment.PrincipalType == "User")
    {
        userCountForApp++;
        Console.WriteLine("Role Id = {0} and User Name = {1}", appRoleAssignment.Id, appRoleAssignment.PrincipalDisplayName);
    }
}

Microsoft Graph API

The ability to read all application specific roles assigned to a user (i.e. AppRoleAssignments) is only available as part of Microsoft Graph API beta endpoint. So it's not stable enough to be used in production code and you won't find Client SDK support for C#. Read more specific points in this SO Post by Marc LaFleur

Here are the relevant API's though:

• AppRoleAssignments
• AppRoles