List Microsoft Entra role definitions

2025-01-29

This article describes how to list the Microsoft Entra built-in and custom role definitions and their permissions using the Microsoft Entra admin center, Microsoft Graph PowerShell, or Microsoft Graph API.

A role definition is a collection of permissions that can be performed, such as read, write, and delete. It's typically referred to as a role. Microsoft Entra ID has over 100 built-in roles or you can create your own custom roles. If you ever wondered "What do these roles really do?", you can access a detailed list of permissions for each of the roles.

Prerequisites

Microsoft Graph PowerShell module when using PowerShell
Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

List Microsoft Entra role definitions

Sign in to the Microsoft Entra admin center.
Browse to Entra ID > Roles & admins.
Select a role name to open the role. Don't add a check mark next to the role.
Select Description to see the summary and list of permissions for the role.

The page includes links to relevant documentation to help guide you through managing roles.

Follow these steps to list Microsoft Entra roles with PowerShell.

Open a PowerShell window. If necessary, use Install-Module to install Microsoft Graph PowerShell. For more information, see Prerequisites to use PowerShell or Graph Explorer.
```
Install-Module Microsoft.Graph -Scope CurrentUser
```
In a PowerShell window, use Connect-MgGraph to sign in to your tenant.
```
Connect-MgGraph -Scopes "RoleManagement.Read.All"
```

Use Get-MgRoleManagementDirectoryRoleDefinition to get roles.

# Get all role definitions
Get-MgRoleManagementDirectoryRoleDefinition

# Get single role definition by ID
Get-MgRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId 00000000-0000-0000-0000-000000000000

# Get single role definition by templateId
Get-MgRoleManagementDirectoryRoleDefinition -Filter "TemplateId eq 'c4e39bd9-1100-46d3-8c65-fb160da0071f'"

# Get role definition by displayName
Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Helpdesk Administrator'"

To view the list of permissions of a role, use the following cmdlet.

# Do this avoid truncation of the list of permissions
$FormatEnumerationLimit = -1

(Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Conditional Access Administrator'").RolePermissions | Format-list

Follow these instructions to list Microsoft Entra roles using the Microsoft Graph API in Graph Explorer.

Sign in to the Graph Explorer.
Select GET as the HTTP method from the dropdown.
Select the API version to v1.0.

Use the List unifiedRoleDefinitions API to list all role definitions.

GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions

To list a specific role by displayName, use this format.

GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter = displayName eq 'Helpdesk Administrator'

Select Run query to list the roles.

Here's an example of the response.

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleDefinitions",
    "value": [
        {
            "id": "729827e3-9c14-49f7-bb1b-9608f156bbb8",
            "description": "Can reset passwords for non-administrators and Helpdesk Administrators.",
            "displayName": "Helpdesk Administrator",
            "isBuiltIn": true,
            "isEnabled": true,
            "resourceScopes": [
                "/"
            ],

    ...

To view permissions of a role, use the following API.

GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter=DisplayName eq 'Conditional Access Administrator'&$select=rolePermissions

Next steps