This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 45%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hi,
We use different Entra groups which have the memberships managed via PIM. Several users are added as eligible members to those groups. I am trying to generate a report of all eligible members in all of those PIM Managed groups. I tried different options but I am unable to get a readable report which can be presented to Management.
I just need group name, member added to that and if possible when last time the group membership was activated
I can get these details from GUI but the number of groups are high so I need some automated way to achieve this
I tried using
Get-MgRoleManagementDirectoryRoleEligibilitySchedule -all : But it gave unreadable details with several GIUD's
Get-AzureADMSPrivilegedRoleAssignment -ProviderId “aadRoles” -ResourceId “” : this returned several objects but I have 1-2 users added as eligible
In my experience, the Get-MgBetaIdentityGovernancePrivilegedAccessGroupEligibilitySchedule cmdlet gives best results for eligible members, whereas you can get the currently assigned ones via Get-MgGroupTransitiveMember. As for getting the last time membership was activated, you will have to cover eligibilityScheduleInstances as well.
Thanks, this command helps but it provides the details of users in Object ID format which I again need to resolve. But it provides the details. I will check few more things and will mark this as answer in few days
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 5%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hello Sukhwinder Singh,
In addition to the answer posted by Vasil Michev, I would like to add few more points regarding PIM Group Eligible membership reporting.
If your requirement is to generate report of eligible members in PIM-managed Entra groups, you can make use of below PowerShell script:
Connect-MgGraph -Scope "PrivilegedAccess.Read.AzureADGroup", "PrivilegedEligibilitySchedule.Read.AzureADGroup", "Directory.Read.All"
$pimGroups = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/privilegedAccess/aadGroups/resources"
$reportData = @()
foreach ($group in $pimGroups.value) {
Write-Host "Processing Group: $($group.displayName)"
$groupId = [uri]::EscapeDataString($group.id)
$eligibilityUri = "https://graph.microsoft.com/beta/identityGovernance/privilegedAccess/group/eligibilitySchedules?`$filter=groupId eq '$groupId'"
$eligibleUsers = Invoke-MgGraphRequest -Method GET -Uri $eligibilityUri
if ($eligibleUsers.value) {
foreach ($eligibility in $eligibleUsers.value) {
$principalId = $eligibility.principalId
if ($principalId) {
$userUri = "https://graph.microsoft.com/beta/users/$principalId"
$user = Invoke-MgGraphRequest -Method GET -Uri $userUri
$reportData += [PSCustomObject]@{
GroupName = $group.displayName
UserName = $user.displayName
UserPrincipal = $user.userPrincipalName
EligibilityType = "Eligible"
}
}
}
} else {
Write-Host "No eligible users found for group: $($group.displayName)"
}
}
$reportData | Export-Csv -Path "C://test//PIM_Eligible_Members_Report.csv" -NoTypeInformation
Write-Host "Report Generated: C://test//PIM_Eligible_Members_Report.csv"
Response:
To confirm that, I checked the results in CSV file which correctly listed PIM groups with eligible members like this:
Hope this helps!
If this answer was helpful, please click "Accept the answer" and mark Yes, as this can be beneficial to other community members.
If you have any other questions or still running into more issues, let me know in the "comments" and I would be happy to help you.
Hello Sukhwinder Singh,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes, if you have any further query do let us know.
Hello Sukhwinder Singh,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes, if you have any further query do let us know.
Thanks for the script. I will run the script and test.
Sure Sukhwinder Singh, please do let me know if you face any issue while running the script. If this answer was helpful, please click "Accept the answer" and mark Yes, as this can be beneficial to other community members.
Hi,
This provides the group eligible membership however I also need when was role last activated and how long the eligibility is valid.
Is there anything which can be done for that