Get eligible and active members of an azure ad group with powershell

Martin Gospodinov 6

Hi all,

In our company we assign group membership through PIM. How can I get all members of a group, both eligible and active?

Tried using Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId "<groupID>"

but this returns more than 100 results, while the group has only one eligible and one active member.

Akr ofly 256 Reputation points

2025-01-27T16:41:13.24+00:00

I re-posted it as a comment under the answer below.

1 answer

Vasil Michev 113.8K Reputation points MVP

2023-07-20T18:17:36.9633333+00:00
You can use the Get-MgRoleManagementDirectoryRoleAssignmentSchedule cmdlet from the Graph SDK to cover active role assignments, and the Get-MgRoleManagementDirectoryRoleEligibilitySchedule one to cover eligible ones.

Get-MgRoleManagementDirectoryRoleAssignmentSchedule -All Get-MgRoleManagementDirectoryRoleEligibilitySchedule -All | ? {$_.PrincipalId -eq "fe506ef0-235f-43cf-ae0c-e82f833c3e91"}
Please sign in to rate this answer.
Martin Gospodinov 6 Reputation points

2023-07-20T18:53:52.01+00:00

Unfortunately I've tried that and it gives the roles that are assigned to the group. Like "Teams Administrator", for example. It doesn't give the members of the group.

Vasil Michev 113.8K Reputation points MVP

2023-07-20T19:34:22.06+00:00

It will return an entry for each role assigned to a group, which you can then expand to get the set of members. That's standard Graph behavior, you usually only get an id, and need to make additional calls to surface more data, for example even the UPN of a user is not returned by default via the above cmdlets. You can use $select/$expand to work around this, but the SDK implementation is crap, so it's usually easier to just run another query.

Here's an example:

$aaa = Get-MgRoleManagementDirectoryRoleAssignmentSchedule -All -ExpandProperty principal foreach ($a in $aaa) { if ($a.Principal.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.group") { Get-MgGroupMember -GroupId $a.Principal.Id } }

but it gives you almost no advantage in just getting the principalId and passing it to Get-MgDirectoryObjectById/Get-MgGroupMember.

Martin Gospodinov 6 Reputation points

2023-07-20T19:37:36.07+00:00

Get-MgGroupMember returns directly assigned members, not assigned through PIM.

Vasil Michev 113.8K Reputation points MVP

2023-07-20T20:05:52.3533333+00:00

Oh, I see what you mean now. I was throw off track by your use of -ProviderId "aadRoles" above, which led me to believe you wanted the roles part of PIM.

For PIM group membership, use the Get-MgIdentityGovernancePrivilegedAccessGroupAssignmentSchedule and Get-MgIdentityGovernancePrivilegedAccessGroupEligibilitySchedule cmdlets.

[23:02:21][O365]# Get-MgIdentityGovernancePrivilegedAccessGroupAssignmentSchedule -Filter "groupId eq '00f475c3-ef4d-41d3-afb1-73d76ab8a9fa'" CreatedDateTime CreatedUsing Id ModifiedDateTime Status AccessId AssignmentType GroupId --------------- ------------ -- ---------------- ------ -------- -------------- ------- 20/07/23 20:03:30 ae0b2e13-c206-4e8a-aa80-daa1c277a722 00f475c3-ef4d-41d3-afb1-73d76ab8a9fa_member_ae0b2e13-c206-4e8a-aa80-daa1c277a722 Provisioned member assigned 00f475c3-…

Martin Gospodinov 6 Reputation points

2023-07-20T20:40:16.51+00:00

Алилуя!

Yep, that's it! Combined with Get-MgIdentityGovernancePrivilegedAccessGroupEligibilitySchedule it's exactly the command I was looking for. Thanks!

p.s. How can I mark this as the right answer?

JamesTran-MSFT 36,811 Reputation points Microsoft Employee

2023-07-24T19:39:46.52+00:00

@Martin Gospodinov

I'm glad that @Vasil Michev was able to help resolve your issue if you have any other questions, please let me know.

For more info on how to Accept an answer.

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Akr ofly 256 Reputation points

2025-01-28T12:58:54.1266667+00:00

This does not seem to list any eligible members of any role. I have taken global administrator role as en example, return many entries, but the ID of the global administrator is not one of them. I know that all the operating global administrators we have have an eligible membership to this role.

I cannot seem to get it to work to list the eligible ones.

Any suggestions are extremely appreciated, thank you.....
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Get eligible and active members of an azure ad group with powershell

1 answer

Your answer