powershell script to check all Entra ID Role Assignment Members

Darren Ramos 40 Reputation points
2024-06-13T11:31:12.8933333+00:00

Hi,

Im checking on how i can manage to get all members of Entra ID Role Assignment and Administrators. when i try to export the file only the Scope with Directory is exported, not all members are exported.

When i tried the Get-AzureADDirectoryRoleMember powershell its give me same result.

Can anyone knows what script i should use or sample script to cater all members of the Entr ID Role.

On this Image only Directory in the Scope i generate. but not the other scope like the Administrative Unit.
User's image

Thank you

PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,320 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,579 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marcin Policht 18,015 Reputation points MVP
    2024-06-13T11:59:29.2166667+00:00

    Try the following

    Install-Module Microsoft.Graph -Scope CurrentUser
    Connect-MgGraph -Scopes "RoleManagement.Read.Directory"
    
    # Function to fetch role members considering Administrative Units
    function Get-RoleMembers {
        param (
            [string]$roleId,
            [string]$scope = $null
        )
        if ($null -ne $scope) {
            # Fetch members scoped to an Administrative Unit
            $members = Get-MgAdministrativeUnitMember -AdministrativeUnitId $scope
        } else {
            # Fetch members scoped to the entire directory
            $members = Get-MgUser -Filter "assignedRoles/any(x:x/id eq '$roleId')"
        }
        return $members
    }
    $result = @()
    foreach ($assignment in $roleAssignments) {
        $role = $roles | Where-Object {$_.Id -eq $assignment.RoleDefinitionId}
        $members = Get-RoleMembers -roleId $role.Id -scope $assignment.DirectoryScopeId
        foreach ($member in $members) {
            $result += [PSCustomObject]@{
                RoleName = $role.DisplayName
                RoleId = $role.Id
                MemberName = $member.DisplayName
                MemberEmail = $member.UserPrincipalName
                Scope = $assignment.DirectoryScopeId
            }
        }
    }
    # Export the results to a CSV file
    $result | Export-Csv -Path "AzureADRoleAssignments.csv" -NoTypeInformation
    
    

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin


  2. Vasil Michev 100.1K Reputation points MVP
    2024-06-13T16:47:46.06+00:00

    Here's a ready to use script that covers both direct and eligible (PIM) assignments, including scoped ones: https://www.michev.info/blog/post/5958/reporting-on-entra-id-directory-role-assignments-including-pim

    0 comments No comments