Determine Azure AD Administrative Roles assignments, eligible and active, with Powershell Graph

Question

Hi,

I'm new to Azure AD and Powershell Graph, hoping I'm at the right place for the question.
I'm trying to use Powershell graph to determine a.o. what Azure AD Administrative roles have which assignments, both eligible (most importantly) and active.
So far I found a few commands that are helpful:

• GetMgDirectoryRole
• GetMgDirectoryRoleTemplate

Now I need to find the role assignments, with the proper information (eligible or active) and I'm confused. Because the only command I have been able to dig up is part of Device Management enrollment, which seems rather illogical and not right?:

• GetMgRoleManagementDirectoryRoleASsignment

Any insight here? Is this the correct command for Azure AD Administrative roles?

Cheers!

Answer 1

Get-MgRoleManagementDirectoryRoleAssignment and Get-MgRoleManagementDirectoryRoleEligibilitySchedule is what you need, the latter being the PIM roles.
If you are looking for ready-to-use solution or something you can build on, I published sample scripts on how to do this via the Microsoft Graph SDK for PowerShell or direct Graph API requests a while back: https://www.michev.info/Blog/Post/3958

Answer 2

Hi Martin,

I guess the Graph Explorer will be better option to list down the roles assigned, please check this link for pre-reqs and steps prerequisites

==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.