Edit

List Microsoft Entra role assignments

  • Article

This article describes how to list roles you have assigned in Microsoft Entra ID. In Microsoft Entra ID, roles can be assigned at an organization-wide scope or with a single-application scope.

  • Role assignments at the organization-wide scope are added to and can be seen in the list of single application role assignments.
  • Role assignments at the single application scope aren't added to and can't be seen in the list of organization-wide scoped assignments.

Prerequisites

  • Microsoft Graph PowerShell module when using PowerShell
  • Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Microsoft Entra admin center

Tip

Steps in this article might vary slightly based on the portal you start from.

This procedure describes how to list role assignments with organization-wide scope.

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Identity > Roles & admins > Roles & admins.

  3. Select a role to open it and view its properties.

  4. Select Assignments to list the role assignments.

    List role assignments and permissions when you open a role from the list

List my role assignments

It's easy to list your own permissions as well. Select Your Role on the Roles and administrators page to see the roles that are currently assigned to you.

List my role assignments

Download role assignments

To download all active role assignments across all roles, including built-in and custom roles, follow these steps (currently in Preview).

  1. On the Roles and administrators page, select All roles.

  2. Select Download assignments.

    A CSV file that lists assignments at all scopes for all roles is downloaded.

    Screenshot showing download all role assignments.

To download all assignments for a specific role, follow these steps.

  1. On the Roles and administrators page, select a role.

  2. Select Download assignments.

    A CSV file that lists assignments at all scopes for that role is downloaded.

    Screenshot showing download all assignments for a specific role.

List role assignments with single-application scope

This section describes how to list role assignments with single-application scope. This feature is currently in public preview.

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Identity > Applications > App registrations.

  3. Select the app registration to view its properties. You might have to select All applications to see the complete list of app registrations in your Microsoft Entra organization.

    Create or edit app registrations from the App registrations page

  4. In the app registration, select Roles and administrators, and then select a role to view its properties.

    List app registration role assignments from the App registrations page

  5. Select Assignments to list the role assignments. Opening the assignments page from within the app registration shows you the role assignments that are scoped to this Microsoft Entra resource.

    List app registration role assignments from the properties of an app registration

PowerShell

This section describes viewing assignments of a role with organization-wide scope. This article uses the Microsoft Graph PowerShell module. To view single-application scope assignments using PowerShell, you can use the cmdlets in Assign custom roles with PowerShell.

Use the Get-MgRoleManagementDirectoryRoleDefinition and Get-MgRoleManagementDirectoryRoleAssignment commands to list role assignments.

The following example shows how to list the role assignments for the Groups Administrator role.

# Fetch list of all directory roles with template ID
Get-MgRoleManagementDirectoryRoleDefinition

# Fetch a specific directory role by ID
$role = Get-MgRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId fdd7a751-b60b-444a-984c-02652fe8fa1c

# Fetch membership for a role
Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"

Id                                            PrincipalId                          RoleDefinitionId                     DirectoryScopeId AppScop
                                                                                                                                         eId
--                                            -----------                          ----------------                     ---------------- -------
lAPpYvVpN0KRkAEhdxReEH2Fs3EjKm1BvSKkcYVN2to-1 71b3857d-2a23-416d-bd22-a471854ddada 62e90394-69f5-4237-9190-012177145e10 /
lAPpYvVpN0KRkAEhdxReEMdXLf2tIs1ClhpzQPsutrQ-1 fd2d57c7-22ad-42cd-961a-7340fb2eb6b4 62e90394-69f5-4237-9190-012177145e10 /

The following example shows how to list all active role assignments across all roles, including built-in and custom roles (currently in Preview).

$roles = Get-MgRoleManagementDirectoryRoleDefinition
foreach ($role in $roles)
{
  Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"
}

Id                                            PrincipalId                          RoleDefinitionId                     DirectoryScopeId AppScop
                                                                                                                                         eId
--                                            -----------                          ----------------                     ---------------- -------
lAPpYvVpN0KRkAEhdxReEH2Fs3EjKm1BvSKkcYVN2to-1 71b3857d-2a23-416d-bd22-a471854ddada 62e90394-69f5-4237-9190-012177145e10 /
lAPpYvVpN0KRkAEhdxReEMdXLf2tIs1ClhpzQPsutrQ-1 fd2d57c7-22ad-42cd-961a-7340fb2eb6b4 62e90394-69f5-4237-9190-012177145e10 /
4-PYiFWPHkqVOpuYmLiHa3ibEcXLJYtFq5x3Kkj2TkA-1 c5119b78-25cb-458b-ab9c-772a48f64e40 88d8e3e3-8f55-4a1e-953a-9b9898b8876b /
4-PYiFWPHkqVOpuYmLiHa2hXf3b8iY5KsVFjHNXFN4c-1 767f5768-89fc-4a8e-b151-631cd5c53787 88d8e3e3-8f55-4a1e-953a-9b9898b8876b /
BSub0kaAukSHWB4mGC_PModww03rMgNOkpK77ePhDnI-1 4dc37087-32eb-4e03-9292-bbede3e10e72 d29b2b05-8046-44ba-8758-1e26182fcf32 /
BSub0kaAukSHWB4mGC_PMgzOWSgXj8FHusA4iaaTyaI-1 2859ce0c-8f17-47c1-bac0-3889a693c9a2 d29b2b05-8046-44ba-8758-1e26182fcf32 /

Microsoft Graph API

This section describes how to list role assignments with organization-wide scope. To list single-application scope role assignments using Graph API, you can use the operations in Assign custom roles with Graph API.

Use the List unifiedRoleAssignments API to get the role assignments for a specific role definition. The following example shows how to list the role assignments for a specific role definition with the ID 3671d40a-1aac-426c-a0c1-a3821ebd8218.

GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq ‘<template-id-of-role-definition>’

Response

HTTP/1.1 200 OK
{
    "id": "CtRxNqwabEKgwaOCHr2CGJIiSDKQoTVJrLE9etXyrY0-1",
    "principalId": "ab2e1023-bddc-4038-9ac1-ad4843e7e539",
    "roleDefinitionId": "3671d40a-1aac-426c-a0c1-a3821ebd8218",
    "directoryScopeId": "/"
}

Next steps