How to get all Microsoft Entra ID and Azure Resources roles (both active and eligible) of all users using Microsoft Graph Powershell

Question

Hi, I need to develop a script using Microsoft Graph Powershell that allows me to get the list of all Microsoft Entra and Azure resources eligible or active roles of all users. Is it possible to do this? What commands can I use?

hoping you can help me, thank you in advance.

Answer 1

Hello @Bragaglia, Andrea (IT) ,

Thank you for contacting Microsoft Support!

Yes, it’s possible to develop a script using Microsoft Graph PowerShell to get the list of all Microsoft Entra and Azure resources eligible or active roles of all users. Here are the steps and commands you can use:

1. Install the Microsoft.Graph Module: Follow the documentation to install the Graph Powershell Module.
2. Connect to Microsoft Graph: Connect-MgGraph -Scopes "RoleManagement.Read.Directory"
3. Get Eligible and Active Role Assignments: You can use the Get-MgRoleManagementDirectoryRoleEligibilitySchedule and Get-MgRoleManagementDirectoryRoleAssignmentSchedule cmdlets to get eligible and active roles, respectively.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Answer 2

Hi Bragaglia, Andrea (IT),

Thank you for posting in the Q&A Forums.

Getting a list of users: First, you may need to get a list of users in your organization.

Query user's role assignment: Then, for each user, you can query their assigned role.

Step 1: Install the Microsoft Graph PowerShell SDK

If you haven't installed the Microsoft Graph PowerShell SDK, you can install it via PowerShellGet:

powershell

Install-Module -Name Microsoft.Graph

Step 2: Connect to Microsoft Graph

Connect to Microsoft Graph using your Azure AD credentials (Administrator or a user with appropriate permissions):

powershell

Connect-Graph -Scopes "User.Read.All", "Directory.Read.All", "Directory.AccessAsUser.All"

Note: You may need to request more or less permissions depending on your needs.

Step 3: Get the list of users

You can use Get-MgUser to get a list of users. Since there may be a lot of users, you may need to page through them or use filters.

powershell

Get all users (may need to be paged)

$users = Get-MgUser -All

Step 4: Query a User's Role Assignment

For Microsoft Graph, getting a user's "active role" directly may not be straightforward. However, you can query a user's Azure AD role assignment (if it's the type you want.) Azure AD roles (e.g., global administrator, helpdesk administrator, etc.) can be queried through the Azure AD Graph API (now integrated into Microsoft Graph).

powershell

foreach ($user in $users) {

# Assuming you want to query for Azure AD roles  

$roleAssignments = Get-MgUserRoleAssignment -UserId $user.Id -All  

# Export or process role assignments  

$roleAssignments | Select-Object RoleDefinitionId, ResourceScope  

}

Note: Get-MgUserRoleAssignment is not a direct command built into the Microsoft Graph PowerShell SDK. This example is for illustrative purposes. In fact, you may need to use Get-MgDirectoryRoleAssignment or other related commands, and may need to filter the results in conjunction with an OData query.

Best regards

NeuviJ

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.