How to Export All Entra PIM Roles with Microsoft Graph PowerShell

Microsoft Entra Privileged Identity Management (PIM) is a fantastic tool for managing and monitoring access to resources in your environment. However, naturally, over time, active and eligible PIM assignments can build up, and you may need to programmatically export a top-level view of all assignments to validate if they are still necessary or to at least report on them. 

In this tutorial I am going to show you how to programmatically use Microsoft Graph PowerShell to Export a report of all PIM assignments, I will also show you how to export a similar report from the portal.

Pre-requisites

To export the PIM roles in this tutorial you must ensure you have the Microsoft Graph modules installed. Check out my tutorial here: How To Install the Microsoft Graph PowerShell Module which details how to install and upgrade the Microsoft Graph PowerShell modules.

As well as this, to grant consent to Microsoft Graph in Microsoft Entra you will need to log in interactively in the script as a global admin account, however, the session will only be active for the permissions defined in this scope of this script (RoleManagement.Read.Directory and Directory.Read.All).

How to export all PIM roles using the Microsoft Entra portal

If you like the simplicity of using the Web GUI to complete this task, you can use the Identity Governance portal in Microsoft Entra to export the same report. Follow the below steps to export the PIM roles through the Microsoft Entra portal:

1. Login to Microsoft Entra here: https://entra.microsoft.com/ with an account with the Security Reader role assigned.

2. From the menu, select Identity Governance > Priviledged Identity Management

Priviledged Identity Management Portal
Priviledged Identity Management Portal

3. Under the Manage heading, select Assignments

PIM Assignments
PIM Assignments

4. Select Export the when the option appears, Select Download

Download report
Download report

5. Your report will look like the following:

Example Report
Example Report

How to export all PIM roles using Microsoft Graph PowerShell

I have written the script below for this tutorial to gather all eligible and active PIM role assignments and bring the relevant information into a similar report. Start by opening Notepad or PowerShell ISE and copying the code below. Paste it into your editor, make any necessary modifications, such as the export path and run the script in PowerShell to create the PIM role report.

Connect-MgGraph -Scopes RoleManagement.Read.Directory, Directory.Read.All

$EligiblePIMRoles = Get-MgRoleManagementDirectoryRoleEligibilitySchedule -All -ExpandProperty *
$AssignedPIMRoles = Get-MgRoleManagementDirectoryRoleAssignmentSchedule -All -ExpandProperty *

$PIMRoles = $EligiblePIMRoles + $AssignedPIMRoles

$Report = [System.Collections.Generic.List[Object]]::new()

foreach ($a in $PIMRoles) {
    $regex = "^([^.]+)\.([^.]+)\.(.+)$"
    $a.Principal.AdditionalProperties.'@odata.type' -match $regex | out-null

    $obj = [pscustomobject][ordered]@{
        Assigned                 = $a.Principal.AdditionalProperties.displayName
        "Assigned Type"          = $matches[3]
        "Assigned Role"          = $a.RoleDefinition.DisplayName
        "Assigned Role Scope"    = $a.directoryScopeId
        "Assignment Type"        = (&{if ($a.AssignmentType -eq "Assigned") {"Active"} else {"Eligible"}})
        "Is Built In"            = $a.roleDefinition.isBuiltIn
        "Created Date"           = $a.CreatedDateTime
        "Expiration type"        = $a.ScheduleInfo.Expiration.type
        "Expiration Date"        = switch ($a.ScheduleInfo.Expiration.EndDateTime) {
            {$a.ScheduleInfo.Expiration.EndDateTime -match '20'} {$a.ScheduleInfo.Expiration.EndDateTime}
            {$a.ScheduleInfo.Expiration.EndDateTime -notmatch '20'} {"N/A"}
        }
    }
    $report.Add($obj)
}

$Report | Export-CSV -path C:\temp\AllPIMRolesExport.csv -NoTypeInformation

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply