Share via

How to list eligible roles in PIM assigned with a group in PIM?

Olivier Lumeau 126 Reputation points
Feb 25, 2025, 3:54 PM

How to list eligible roles in PIM assigned with a group in PIM even if the role hasn't been enabled yet.

We assign privileged roles with role-assigned groups with PIM but eligible roles.
if the user has enabled his roles on the "My Roles" page, membership is visible, if the role isn't enabled we don't see the membership.

I can list or view eligible roles if directly assigned or already enabled with PowerShell Scripts or KQL requests.
But we want to be able to list the roles that a user would enable and not only those that already have been enabled.

In another words, roles are assigned in PIM (not directly but by adding the user as member of a role-assigned group but in PIM) and we want to be able to check what a user could do and not only what "he does".

I mean how to view activable eligible roles?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
883 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Jose Benjamin Solis Nolasco 541 Reputation points
    Feb 25, 2025, 4:36 PM

    Hello Oliver,

    The way we do it is using Microsoft Graph API or Powershell.

    I hope this can help you;

    Using Azure AD PowerShell:

    PowerShell
    Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId "tenant-id"
    

    Using Microsoft Graph API:

    YAML
    GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilitySchedules?$filter=principalId eq 'user-id'					
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.