Share via

powershell script to check all Entra ID Role Assignment Members

Darren Ramos 40 Reputation points
2024-06-13T11:31:12.8933333+00:00

Hi,

Im checking on how i can manage to get all members of Entra ID Role Assignment and Administrators. when i try to export the file only the Scope with Directory is exported, not all members are exported.

When i tried the Get-AzureADDirectoryRoleMember powershell its give me same result.

Can anyone knows what script i should use or sample script to cater all members of the Entr ID Role.

On this Image only Directory in the Scope i generate. but not the other scope like the Administrative Unit.
User's image

Thank you

PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,272 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,346 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 16,725 Reputation points MVP
    2024-06-13T11:59:29.2166667+00:00

    Try the following

    Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "RoleManagement.Read.Directory"

# Function to fetch role members considering Administrative Units
function Get-RoleMembers {
    param (
        [string]$roleId,
        [string]$scope = $null
    )
    if ($null -ne $scope) {
        # Fetch members scoped to an Administrative Unit
        $members = Get-MgAdministrativeUnitMember -AdministrativeUnitId $scope
    } else {
        # Fetch members scoped to the entire directory
        $members = Get-MgUser -Filter "assignedRoles/any(x:x/id eq '$roleId')"
    }
    return $members
}
$result = @()
foreach ($assignment in $roleAssignments) {
    $role = $roles | Where-Object {$_.Id -eq $assignment.RoleDefinitionId}
    $members = Get-RoleMembers -roleId $role.Id -scope $assignment.DirectoryScopeId
    foreach ($member in $members) {
        $result += [PSCustomObject]@{
            RoleName = $role.DisplayName
            RoleId = $role.Id
            MemberName = $member.DisplayName
            MemberEmail = $member.UserPrincipalName
            Scope = $assignment.DirectoryScopeId
        }
    }
}
# Export the results to a CSV file
$result | Export-Csv -Path "AzureADRoleAssignments.csv" -NoTypeInformation

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

  2. Vasil Michev 99,126 Reputation points MVP
    2024-06-13T16:47:46.06+00:00

    Here's a ready to use script that covers both direct and eligible (PIM) assignments, including scoped ones: https://www.michev.info/blog/post/5958/reporting-on-entra-id-directory-role-assignments-including-pim

    0 comments