View roles assigned to a group in Azure Active Directory

This section describes how the roles assigned to a group can be viewed using the Azure portal. Viewing groups and assigned roles are default user permissions.

Prerequisites

  • AzureAD module when using PowerShell
  • Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal

  1. Sign in to the Azure portal or Azure AD admin center.

  2. Select Azure Active Directory > Groups.

  3. Select a role-assignable group that you are interested in.

  4. Select Assigned roles. You can now see all the Azure AD roles assigned to this group.

    View all roles assigned to a selected group

PowerShell

Get object ID of the group

Get-AzureADMSGroup -SearchString "Contoso_Helpdesk_Administrators"

View role assignment to a group

Get-AzureADMSRoleAssignment -Filter "principalId eq '<object id of group>" 

Microsoft Graph API

Get object ID of the group

Use the Get group API to get a group.

GET https://graph.microsoft.com/v1.0/groups?$filter=displayName+eq+'Contoso_Helpdesk_Administrator'

Get role assignments to a group

Use the List unifiedRoleAssignments API to get the role assignment.

GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=principalId eq

Next steps