List Microsoft Entra role assignments
This article describes how to list roles you have assigned in Microsoft Entra ID. In Microsoft Entra ID, roles can be assigned at an organization-wide scope or with a single-application scope.
- Role assignments at the organization-wide scope are added to and can be seen in the list of single application role assignments.
- Role assignments at the single application scope aren't added to and can't be seen in the list of organization-wide scoped assignments.
- Microsoft Graph PowerShell module when using PowerShell
- Admin consent when using Graph explorer for Microsoft Graph API
For more information, see Prerequisites to use PowerShell or Graph Explorer.
Tip
Steps in this article might vary slightly based on the portal you start from.
This procedure describes how to list role assignments with organization-wide scope.
Sign in to the Microsoft Entra admin center.
Browse to Identity > Roles & admins > Roles & admins.
Select a role to open it and view its properties.
Select Assignments to list the role assignments.
It's easy to list your own permissions as well. Select Your Role on the Roles and administrators page to see the roles that are currently assigned to you.
To download all active role assignments across all roles, including built-in and custom roles, follow these steps (currently in Preview).
On the Roles and administrators page, select All roles.
Select Download assignments.
A CSV file that lists assignments at all scopes for all roles is downloaded.
To download all assignments for a specific role, follow these steps.
On the Roles and administrators page, select a role.
Select Download assignments.
A CSV file that lists assignments at all scopes for that role is downloaded.
This section describes how to list role assignments with single-application scope. This feature is currently in public preview.
Sign in to the Microsoft Entra admin center.
Browse to Identity > Applications > App registrations.
Select the app registration to view its properties. You might have to select All applications to see the complete list of app registrations in your Microsoft Entra organization.
In the app registration, select Roles and administrators, and then select a role to view its properties.
Select Assignments to list the role assignments. Opening the assignments page from within the app registration shows you the role assignments that are scoped to this Microsoft Entra resource.
This section describes viewing assignments of a role with organization-wide scope. This article uses the Microsoft Graph PowerShell module. To view single-application scope assignments using PowerShell, you can use the cmdlets in Assign custom roles with PowerShell.
Use the Get-MgRoleManagementDirectoryRoleDefinition and Get-MgRoleManagementDirectoryRoleAssignment commands to list role assignments.
The following example shows how to list the role assignments for the Groups Administrator role.
# Fetch list of all directory roles with template ID
Get-MgRoleManagementDirectoryRoleDefinition
# Fetch a specific directory role by ID
$role = Get-MgRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId fdd7a751-b60b-444a-984c-02652fe8fa1c
# Fetch membership for a role
Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"
Id PrincipalId RoleDefinitionId DirectoryScopeId AppScop
eId
-- ----------- ---------------- ---------------- -------
lAPpYvVpN0KRkAEhdxReEH2Fs3EjKm1BvSKkcYVN2to-1 aaaaaaaa-bbbb-cccc-1111-222222222222 62e90394-69f5-4237-9190-012177145e10 /
lAPpYvVpN0KRkAEhdxReEMdXLf2tIs1ClhpzQPsutrQ-1 bbbbbbbb-cccc-dddd-2222-333333333333 62e90394-69f5-4237-9190-012177145e10 /
The following example shows how to list all active role assignments across all roles, including built-in and custom roles (currently in Preview).
$roles = Get-MgRoleManagementDirectoryRoleDefinition
foreach ($role in $roles)
{
Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"
}
Id PrincipalId RoleDefinitionId DirectoryScopeId AppScop
eId
-- ----------- ---------------- ---------------- -------
lAPpYvVpN0KRkAEhdxReEH2Fs3EjKm1BvSKkcYVN2to-1 aaaaaaaa-bbbb-cccc-1111-222222222222 62e90394-69f5-4237-9190-012177145e10 /
lAPpYvVpN0KRkAEhdxReEMdXLf2tIs1ClhpzQPsutrQ-1 bbbbbbbb-cccc-dddd-2222-333333333333 62e90394-69f5-4237-9190-012177145e10 /
4-PYiFWPHkqVOpuYmLiHa3ibEcXLJYtFq5x3Kkj2TkA-1 cccccccc-dddd-eeee-3333-444444444444 88d8e3e3-8f55-4a1e-953a-9b9898b8876b /
4-PYiFWPHkqVOpuYmLiHa2hXf3b8iY5KsVFjHNXFN4c-1 dddddddd-eeee-ffff-4444-555555555555 88d8e3e3-8f55-4a1e-953a-9b9898b8876b /
BSub0kaAukSHWB4mGC_PModww03rMgNOkpK77ePhDnI-1 eeeeeeee-ffff-aaaa-5555-666666666666 d29b2b05-8046-44ba-8758-1e26182fcf32 /
BSub0kaAukSHWB4mGC_PMgzOWSgXj8FHusA4iaaTyaI-1 ffffffff-aaaa-bbbb-6666-777777777777 d29b2b05-8046-44ba-8758-1e26182fcf32 /
This section describes how to list role assignments with organization-wide scope. To list single-application scope role assignments using Graph API, you can use the operations in Assign custom roles with Graph API.
Use the List unifiedRoleAssignments API to get the role assignments for a specific role definition. The following example shows how to list the role assignments for a specific role definition with the ID 00000000-0000-0000-0000-000000000000
.
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq ‘<template-id-of-role-definition>’
Response
HTTP/1.1 200 OK
{
"id": "C2dE3fH4iJ5kL6mN7oP8qR9sT0uV1wIiSDKQoTVJrLE9etXyrY0-1",
"principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",
"roleDefinitionId": "00000000-0000-0000-0000-000000000000",
"directoryScopeId": "/"
}
- Feel free to share with us on the Microsoft Entra administrative roles forum.
- For more about role permissions, see Microsoft Entra built-in roles.
- For default user permissions, see a comparison of default guest and member user permissions.