Share via

powershell script to check all Entra ID Role Assignment Members

Darren Ramos 40 Reputation points
2024-06-13T11:31:12.8933333+00:00

Hi,

Im checking on how i can manage to get all members of Entra ID Role Assignment and Administrators. when i try to export the file only the Scope with Directory is exported, not all members are exported.

When i tried the Get-AzureADDirectoryRoleMember powershell its give me same result.

Can anyone knows what script i should use or sample script to cater all members of the Entr ID Role.

On this Image only Directory in the Scope i generate. but not the other scope like the Administrative Unit.
User's image

Thank you

Windows for business | Windows Server | User experience | PowerShell
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 125.9K Reputation points MVP Volunteer Moderator
    2024-06-13T16:47:46.06+00:00

    Here's a ready to use script that covers both direct and eligible (PIM) assignments, including scoped ones: https://www.michev.info/blog/post/5958/reporting-on-entra-id-directory-role-assignments-including-pim

    0 comments
  2. Marcin Policht 85,255 Reputation points MVP Volunteer Moderator
    2024-06-13T11:59:29.2166667+00:00

    Try the following

    Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "RoleManagement.Read.Directory"

# Function to fetch role members considering Administrative Units
function Get-RoleMembers {
    param (
        [string]$roleId,
        [string]$scope = $null
    )
    if ($null -ne $scope) {
        # Fetch members scoped to an Administrative Unit
        $members = Get-MgAdministrativeUnitMember -AdministrativeUnitId $scope
    } else {
        # Fetch members scoped to the entire directory
        $members = Get-MgUser -Filter "assignedRoles/any(x:x/id eq '$roleId')"
    }
    return $members
}
$result = @()
foreach ($assignment in $roleAssignments) {
    $role = $roles | Where-Object {$_.Id -eq $assignment.RoleDefinitionId}
    $members = Get-RoleMembers -roleId $role.Id -scope $assignment.DirectoryScopeId
    foreach ($member in $members) {
        $result += [PSCustomObject]@{
            RoleName = $role.DisplayName
            RoleId = $role.Id
            MemberName = $member.DisplayName
            MemberEmail = $member.UserPrincipalName
            Scope = $assignment.DirectoryScopeId
        }
    }
}
# Export the results to a CSV file
$result | Export-Csv -Path "AzureADRoleAssignments.csv" -NoTypeInformation

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.