![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 30%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFD%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Is there a way to read all roles (Administrative Roles) that user has assigned in EntraID, not just the roles assigned for the SCIM app itself?
No.
Most applications do not care about the administrative directory roles (Global Admin, etc..) assigned to users in Entra ID. Applications have their own concepts of entitlements. Those app-specific roles are usually represented on the Enterprise Application object in Entra ID, where they can be assigned to users, and SSO + Provisioning can both then leverage those app-specific assignments to send role/entitlement data in SSO claims or SCIM create/update payloads.
If your application does have a reason to care about the Entra ID directory roles assigned to users, it will need to make calls to Microsoft Graph API to obtain that data, as it is not possible to use a user's assigned Entra ID directory roles as a data source with our provisioning service at this time.