IT Insights IT Insights

Azure AD - List Role Assignments

PowerShell, Microsoft Graph11/15/2022

Retrieving a list of all Azure AD role assignments sounds easy enough, right? Well, there are some things to consider, here is waht.

Introduction

Unfortunately, its not straight forward, to get list of all Azure AD role assignments, unless you are not using Privileged Identity Management (PIM). First, we need the Microsoft Graph PowerShell SDK. Follow these steps. Currently, to retrieve eligible, its required to set the Microsoft Graph profile to beta. Also, those information can only be queried using the Windpws PowerShell.

Script

The gist can either be found here or explained in detail below.

Connect-MgGraph -Scopes RoleEligibilitySchedule.Read.Directory, RoleAssignmentSchedule.Read.Directory, CrossTenantInformation.ReadBasic.All, AuditLog.Read.All, User.Read.All
Select-MgProfile -Name Beta

# get all user to resolve IDs
$users = Get-MgUser -All
# get all groups to resolve IDs
$groups = Get-MgGroup -All

# get all Azure AD role definitions to resolve IDs
$roles = Get-MgRoleManagementDirectoryRoleDefinition

# get all role assignments
$eligible_role_assignments = Get-MgRoleManagementDirectoryRoleEligibilitySchedule -ExpandProperty "*" -All:$true
$assigned_role_assignments = Get-MgRoleManagementDirectoryRoleAssignmentScheduleInstance -ExpandProperty "*" -All:$true

[System.Collections.ArrayList]$resolved_assignments = @()

foreach ($assignment in $eligible_role_assignments) {
    $user = $users | Where-Object { $_.id -eq $assignment.PrincipalId }
    $group = $groups | Where-Object { $_.id -eq $assignment.PrincipalId }

    $obj = [pscustomobject]@{
        'role'         = $roles | Where-Object { $_.id -eq $assignment.RoleDefinitionId } | Select-Object -ExpandProperty DisplayName
        'user'         = $user  | Select-Object -ExpandProperty UserPrincipalName
        'group'        = $group | Select-Object -ExpandProperty DisplayName
        'user_enabled' = $user  | Select-Object -ExpandProperty AccountEnabled
    }

    $resolved_assignments.Add($obj) | Out-Null
}

foreach ($assignment in $assigned_role_assignments) {
    $user = $users | Where-Object { $_.id -eq $assignment.PrincipalId }
    $group = $groups | Where-Object { $_.id -eq $assignment.PrincipalId }

    $obj = [pscustomobject]@{
        'role'         = $roles | Where-Object { $_.id -eq $assignment.RoleDefinitionId } | Select-Object -ExpandProperty DisplayName
        'user'         = $user  | Select-Object -ExpandProperty UserPrincipalName
        'group'        = $group | Select-Object -ExpandProperty DisplayName
        'user_enabled' = $user  | Select-Object -ExpandProperty AccountEnabled
    }

    $resolved_assignments.Add($obj) | Out-Null
}

Write-Output $resolved_assignments

I hope this makes your life a little simpler 😉

Azure Active Directory License Assignment for Groups

The Azure Active Directory has for some time been offering the ability to assign licenses to users such as EMS, Office 365 (Exchange, SharePoint, etc.), but can also provide groups with licenses. As soon as a user is added to a group, if there are still enough licenses available, the user will receive the corresponding license assigned to the group. This works with synchronized groups from the local Active Directory as well as with Azure AD Security and dynamic groups.

Azure Arc and Defender for Endpoint Ports & URLs

During the onboarding / rollout of Defender for Endpoint and Azure Arc Agent, the network plays a significant role. Communication via the Internet is usually restricted by segmented networks and secured by firewalls and proxies. To prevent errors or communication problems, the required ports & URLs should be opened to ensure seamless onboarding and operational processes.