List Microsoft Entra role assignments for a user

A role can be assigned to a user directly or transitively via a group. This article describes how to list the Microsoft Entra roles assigned to a user. For information about assigning roles to groups, see Use Microsoft Entra groups to manage role assignments.

Prerequisites

  • AzureADPreview module when using PowerShell
  • Microsoft.Graph module when using PowerShell
  • Admin consent when using Graph Explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Microsoft Entra admin center

Tip

Steps in this article might vary slightly based on the portal you start from.

Follow these steps to list Microsoft Entra roles for a user using the Microsoft Entra admin center. Your experience will be different depending on whether you have Microsoft Entra Privileged Identity Management (PIM) enabled.

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Identity > Users > All users.

  3. Select user name > Assigned roles.

    You can see the list of roles assigned to the user at different scopes. Additionally, you can see whether the role has been assigned directly or via group.

    list of roles assigned to a user in Azure portal

    If you have a Premium P2 license, you will see the PIM experience, which has eligible, active, and expired role assignment details.

    list of roles assigned to a user in PIM

PowerShell

Follow these steps to list Microsoft Entra roles assigned to a user using PowerShell.

  1. Install Microsoft.Graph module using Install-module.

    Install-module -name Microsoft.Graph
    
  2. In a PowerShell window, Use Connect-MgGraph to sign into and use Microsoft Graph PowerShell cmdlets.

    Connect-MgGraph
    
  3. Use the List transitiveRoleAssignments API to get roles assigned directly and transitively to a user.

    $response = $null
    $uri = "https://graph.microsoft.com/beta/roleManagement/directory/transitiveRoleAssignments?`$count=true&`$filter=principalId eq 'aaaaaaaa-bbbb-cccc-1111-222222222222'"
    $method = 'GET'
    $headers = @{'ConsistencyLevel' = 'eventual'}
    
    $response = (Invoke-MgGraphRequest -Uri $uri -Headers $headers -Method $method -Body $null).value
    

Microsoft Graph API

Follow these steps to list Microsoft Entra roles assigned to a user using the Microsoft Graph API in Graph Explorer.

  1. Sign in to the Graph Explorer.

  2. Use the List transitiveRoleAssignments API to get roles assigned directly and transitively to a user. Add following query to the URL.

    GET https://graph.microsoft.com/beta/rolemanagement/directory/transitiveRoleAssignments?$count=true&$filter=principalId eq 'aaaaaaaa-bbbb-cccc-1111-222222222222'
    
  3. Navigate to Request headers tab. Add ConsistencyLevel as key and Eventual as its value.

  4. Select Run query.

Next steps