Export All Admin Role Memberships in Entra ID With Powershell

By exporting a list of all assigned admin roles in Microsoft Entra ID, you will get a top-level overview of privileged users in your tenant. This will allow you to make an informed decision as to whether the appropriate roles are assigned to the relevant users, or whether some changes are needed.

In a previous tutorial, I demonstrated how you can use PowerShell to export a full list of admin role assignments from PIM (Privileged Identity Management), you can read this tutorial here:  How to Export All AzureAD PIM Roles with Microsoft Graph PowerShell.

In this tutorial, I am going to show you how to run a report of all admin role memberships in Microsoft Entra ID using Microsoft Graph PowerShell and export it to a CSV file. This is beneficial if you are not using PIM for role management but still need to clearly identify which users hold admin role memberships in your tenant.

Pre-requisites

Powershell

To run the command in this script you must have the latest current version of Microsoft Graph PowerShell installed. For guidance on how to install Microsoft Graph PowerShell, follow my tutorial here: How to Install the Microsoft Graph PowerShell Module

Permissions

To consent to the necessary permissions (RoleManagement.Read.Directory, User.Read.All, AuditLog.Read.All) for Microsoft Graph PowerShell, you will need to be assigned the global administrator role in your tenant. However, once the permissions are consented to, a lower-tier user context can be used, such as global reader.

Export all admin role memberships script

This script will first connect to Microsoft Graph and store all the privileged directory roles, saving them into the $allroles variable. It will then loop through each role and check if there are any members assigned, if there are no members assigned the role will be skipped. An array object will then be provisioned containing the information for each assignment to the current role and that will then be added to the report. 

You can also access the same copy of this script from my GitHub profile here.

There are 3 core cmdlets used in this script:

  • Get-MgDirectoryRole > This cmdlet will retrieve all admin roles in your tenant.
  • Get-MgDirectoryRoleMember > This cmdlet will retrieve members of a specific role.
  • Get-MgUser > This cmdlet will retrieve users in your tenant. I have written a comprehensive guide on using this cmdlet here: How To Use Get-MgUser with Microsoft Graph PowerShell
<#
AUTHOR: Daniel Bradley
LINKEDIN: https://www.linkedin.com/in/danielbradley2/
TWITTER: https://twitter.com/DanielatOCN
WEBSITE: https://ourcloudnetwork.com/
Info: This script was written by Daniel Bradley for the ourcloudnetwork.com blog
#>

#Connect to Microsoft Graph
Connect-MgGraph -Scopes RoleManagement.Read.Directory, User.Read.All, AuditLog.Read.All

#Get all directory roles
$allroles = Get-MgDirectoryRole

#Provision in new array object
$Report = [System.Collections.Generic.List[Object]]::new()

#Start a loop to build the report
Foreach ($role in $allroles){
    $rolemembers = $null
    #Get members of each role
    $Rolemembers = Get-MgDirectoryRoleMember -DirectoryRoleId $Role.id
    #Skip role if role assignments are empty
    If ($Rolemembers -eq $null) {Write-host "No users assigned to $($Role.DisplayName)"} Else {
        Foreach ($Member in $rolemembers){
        #Filter out non-user assignments
            If ($member.AdditionalProperties.'@odata.type' -notmatch "servicePrincipal") {
                $SignInActivity = $null
                #Get signin logs for user
                $SignInActivity = Get-MgUser -UserId $member.id -Property signinactivity | Select-Object -ExpandProperty signinactivity
                #Build current array object
                $obj = [pscustomobject][ordered]@{
                    Role                     = $Role.DisplayName
                    User                     = $member.AdditionalProperties.displayName
                    Username                 = $member.AdditionalProperties.userPrincipalName
                    LastInteractiveSignIn    = $SignInActivity.LastSignInDateTime
                }
                #Add current array object to the report
                $report.Add($obj)
            }
        }
    }
}

#Export report to csv
$report | Export-CSV -path C:\temp\AdminRoleReport.csv -NoTypeInformation

Summary

This script is a simple barebones method of obtaining an actionable admin role membership report using Microsoft Graph PowerShell. It is by no means a complete audit solution for your role memberships, however, it will help you start your journey to better role management by taking the first steps and reducing your admin footprint by taking away access users no longer need.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 4 Comments

  1. Matt

    Daniel, this script provided me exactly what I was looking for. Thank you so much!

    1. Daniel

      Glad you found it helpful Matt!

  2. JE

    Doesn’t work for me – I get the error:

    Line |
    11 | Select-MgProfile -Name Beta
    | ~~~~~~~~~~~~~~~~
    | The term ‘Select-MgProfile’ is not recognized as a name of a cmdlet, function, script file, or executable program. Check the
    | spelling of the name, or if a path was included, verify that the path is correct and try again.

    1. Daniel Bradley

      Hi JE,

      It has been fixed now! Let me know 🙂

      Cheers
      Daniel

Leave a Reply