In my experience, the Get-MgBetaIdentityGovernancePrivilegedAccessGroupEligibilitySchedule
cmdlet gives best results for eligible members, whereas you can get the currently assigned ones via Get-MgGroupTransitiveMember
. As for getting the last time membership was activated, you will have to cover eligibilityScheduleInstances as well.
PIM Group Eligible membership reporting
Hi,
We use different Entra groups which have the memberships managed via PIM. Several users are added as eligible members to those groups. I am trying to generate a report of all eligible members in all of those PIM Managed groups. I tried different options but I am unable to get a readable report which can be presented to Management.
I just need group name, member added to that and if possible when last time the group membership was activated
I can get these details from GUI but the number of groups are high so I need some automated way to achieve this
I tried using
Get-MgRoleManagementDirectoryRoleEligibilitySchedule -all : But it gave unreadable details with several GIUD's
Get-AzureADMSPrivilegedRoleAssignment -ProviderId “aadRoles” -ResourceId “” : this returned several objects but I have 1-2 users added as eligible
Microsoft Security | Microsoft Graph
2 answers
Sort by: Most helpful
-
Vasil Michev 119.8K Reputation points MVP Volunteer Moderator
2025-03-13T07:57:23.8366667+00:00 -
SrideviM 5,715 Reputation points Microsoft External Staff Moderator
2025-03-18T09:36:26.9333333+00:00 Hello Sukhwinder Singh,
In addition to the answer posted by Vasil Michev, I would like to add few more points regarding PIM Group Eligible membership reporting.
If your requirement is to generate report of eligible members in PIM-managed Entra groups, you can make use of below PowerShell script:
Connect-MgGraph -Scope "PrivilegedAccess.Read.AzureADGroup", "PrivilegedEligibilitySchedule.Read.AzureADGroup", "Directory.Read.All" $pimGroups = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/privilegedAccess/aadGroups/resources" $reportData = @() foreach ($group in $pimGroups.value) { Write-Host "Processing Group: $($group.displayName)" $groupId = [uri]::EscapeDataString($group.id) $eligibilityUri = "https://graph.microsoft.com/beta/identityGovernance/privilegedAccess/group/eligibilitySchedules?`$filter=groupId eq '$groupId'" $eligibleUsers = Invoke-MgGraphRequest -Method GET -Uri $eligibilityUri if ($eligibleUsers.value) { foreach ($eligibility in $eligibleUsers.value) { $principalId = $eligibility.principalId if ($principalId) { $userUri = "https://graph.microsoft.com/beta/users/$principalId" $user = Invoke-MgGraphRequest -Method GET -Uri $userUri $reportData += [PSCustomObject]@{ GroupName = $group.displayName UserName = $user.displayName UserPrincipal = $user.userPrincipalName EligibilityType = "Eligible" } } } } else { Write-Host "No eligible users found for group: $($group.displayName)" } } $reportData | Export-Csv -Path "C://test//PIM_Eligible_Members_Report.csv" -NoTypeInformation Write-Host "Report Generated: C://test//PIM_Eligible_Members_Report.csv"
Response:
To confirm that, I checked the results in CSV file which correctly listed PIM groups with eligible members like this:
Hope this helps!
If this answer was helpful, please click "Accept the answer" and mark
Yes
, as this can be beneficial to other community members.If you have any other questions or still running into more issues, let me know in the "comments" and I would be happy to help you.