PIM Group Eligible membership reporting

Sukhwinder Singh 51 Reputation points
2025-03-12T19:44:24.26+00:00

Hi,

We use different Entra groups which have the memberships managed via PIM. Several users are added as eligible members to those groups. I am trying to generate a report of all eligible members in all of those PIM Managed groups. I tried different options but I am unable to get a readable report which can be presented to Management.

I just need group name, member added to that and if possible when last time the group membership was activated

I can get these details from GUI but the number of groups are high so I need some automated way to achieve this

I tried using

Get-MgRoleManagementDirectoryRoleEligibilitySchedule -all : But it gave unreadable details with several GIUD's

Get-AzureADMSPrivilegedRoleAssignment -ProviderId “aadRoles” -ResourceId “” : this returned several objects but I have 1-2 users added as eligible

Microsoft Security | Microsoft Graph
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Vasil Michev 119.8K Reputation points MVP Volunteer Moderator
    2025-03-13T07:57:23.8366667+00:00

    In my experience, the Get-MgBetaIdentityGovernancePrivilegedAccessGroupEligibilitySchedule cmdlet gives best results for eligible members, whereas you can get the currently assigned ones via Get-MgGroupTransitiveMember. As for getting the last time membership was activated, you will have to cover eligibilityScheduleInstances as well.


  2. SrideviM 5,715 Reputation points Microsoft External Staff Moderator
    2025-03-18T09:36:26.9333333+00:00

    Hello Sukhwinder Singh,

    In addition to the answer posted by Vasil Michev, I would like to add few more points regarding PIM Group Eligible membership reporting.

    If your requirement is to generate report of eligible members in PIM-managed Entra groups, you can make use of below PowerShell script:

    
    Connect-MgGraph -Scope "PrivilegedAccess.Read.AzureADGroup", "PrivilegedEligibilitySchedule.Read.AzureADGroup", "Directory.Read.All"
    
    $pimGroups = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/privilegedAccess/aadGroups/resources"
    
    $reportData = @()
    
    foreach ($group in $pimGroups.value) {
    
        Write-Host "Processing Group: $($group.displayName)"
    
        $groupId = [uri]::EscapeDataString($group.id)
    
        $eligibilityUri = "https://graph.microsoft.com/beta/identityGovernance/privilegedAccess/group/eligibilitySchedules?`$filter=groupId eq '$groupId'"
    
        $eligibleUsers = Invoke-MgGraphRequest -Method GET -Uri $eligibilityUri
    
        if ($eligibleUsers.value) {
    
            foreach ($eligibility in $eligibleUsers.value) {
    
                $principalId = $eligibility.principalId
    
                if ($principalId) {
    
                    $userUri = "https://graph.microsoft.com/beta/users/$principalId"
    
                    $user = Invoke-MgGraphRequest -Method GET -Uri $userUri
    
                    $reportData += [PSCustomObject]@{
    
                        GroupName       = $group.displayName
    
                        UserName        = $user.displayName
    
                        UserPrincipal   = $user.userPrincipalName
    
                        EligibilityType = "Eligible"
    
                    }
    
                }
    
            }
    
        } else {
    
            Write-Host "No eligible users found for group: $($group.displayName)"
    
        }
    
    }
    
    $reportData | Export-Csv -Path "C://test//PIM_Eligible_Members_Report.csv" -NoTypeInformation
    
    Write-Host "Report Generated: C://test//PIM_Eligible_Members_Report.csv"
    
    

    Response:

    enter image description here

    To confirm that, I checked the results in CSV file which correctly listed PIM groups with eligible members like this:

    enter image description here

    Hope this helps!


    If this answer was helpful, please click "Accept the answer" and mark Yes, as this can be beneficial to other community members.

    User's image

    If you have any other questions or still running into more issues, let me know in the "comments" and I would be happy to help you.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.