Edit

List Azure AD role assignments for a user

  • Article
  • 2 minutes to read

A role can be assigned to a user directly or transitively via a group. This article describes how to list the Azure AD roles assigned to a user. For information about assigning roles to groups, see Use Azure AD groups to manage role assignments.

Prerequisites

  • AzureADPreview module when using PowerShell
  • Microsoft.Graph module when using PowerShell
  • Admin consent when using Graph Explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal

Follow these steps to list Azure AD roles for a user using the Azure portal. Your experience will be different depending on whether you have Azure AD Privileged Identity Management (PIM) enabled.

  1. Sign in to the Azure portal.

  2. Select Azure Active Directory > Users > user name > Assigned roles.

    You can see the list of roles assigned to the user at different scopes. Additionally, you can see whether the role has been assigned directly or via group.

    list of roles assigned to a user in Azure portal

    If you have a Premium P2 license, you will see the PIM experience, which has eligible, active, and expired role assignment details.

    list of roles assigned to a user in PIM

PowerShell

Follow these steps to list Azure AD roles assigned to a user using PowerShell.

  1. Install Microsoft.Graph module using Install-module.

    Install-module -name Microsoft.Graph

  2. In a PowerShell window, Use Connect-MgGraph to sign into and use Microsoft Graph PowerShell cmdlets.

    Connect-MgGraph

  3. Use the List transitiveRoleAssignments API to get roles assigned directly and transitively to a user.

    $response = $null
$uri = "https://graph.microsoft.com/beta/roleManagement/directory/transitiveRoleAssignments?`$count=true&`$filter=principalId eq '6b937a9d-c731-465b-a844-2d5b5368c161'"
$method = 'GET'
$headers = @{'ConsistencyLevel' = 'eventual'}

$response = (Invoke-MgGraphRequest -Uri $uri -Headers $headers -Method $method -Body $null).value

Microsoft Graph API

Follow these steps to list Azure AD roles assigned to a user using the Microsoft Graph API in Graph Explorer.

  1. Sign in to the Graph Explorer.

  2. Use the List transitiveRoleAssignments API to get roles assigned directly and transitively to a user. Add following query to the URL.

    GET https://graph.microsoft.com/beta/rolemanagement/directory/transitiveRoleAssignments?$count=true&$filter=principalId eq '6b937a9d-c731-465b-a844-2d5b5368c161'

  3. Navigate to Request headers tab. Add ConsistencyLevel as key and Eventual as its value.

  4. Select Run query.

Next steps