IT Insights IT Insights

Azure AD - List Role Assignments

PowerShell, Microsoft Graph11/15/2022

Retrieving a list of all Azure AD role assignments sounds easy enough, right? Well, there are some things to consider, here is waht.

Introduction

Unfortunately, its not straight forward, to get list of all Azure AD role assignments, unless you are not using Privileged Identity Management (PIM). First, we need the Microsoft Graph PowerShell SDK. Follow these steps. Currently, to retrieve eligible, its required to set the Microsoft Graph profile to beta. Also, those information can only be queried using the Windpws PowerShell.

Script

The gist can either be found here or explained in detail below.

Connect-MgGraph -Scopes RoleEligibilitySchedule.Read.Directory, RoleAssignmentSchedule.Read.Directory, CrossTenantInformation.ReadBasic.All, AuditLog.Read.All, User.Read.All
Select-MgProfile -Name Beta

# get all user to resolve IDs
$users = Get-MgUser -All
# get all groups to resolve IDs
$groups = Get-MgGroup -All

# get all Azure AD role definitions to resolve IDs
$roles = Get-MgRoleManagementDirectoryRoleDefinition

# get all role assignments
$eligible_role_assignments = Get-MgRoleManagementDirectoryRoleEligibilitySchedule -ExpandProperty "*" -All:$true
$assigned_role_assignments = Get-MgRoleManagementDirectoryRoleAssignmentScheduleInstance -ExpandProperty "*" -All:$true

[System.Collections.ArrayList]$resolved_assignments = @()

foreach ($assignment in $eligible_role_assignments) {
    $user = $users | Where-Object { $_.id -eq $assignment.PrincipalId }
    $group = $groups | Where-Object { $_.id -eq $assignment.PrincipalId }

    $obj = [pscustomobject]@{
        'role'         = $roles | Where-Object { $_.id -eq $assignment.RoleDefinitionId } | Select-Object -ExpandProperty DisplayName
        'user'         = $user  | Select-Object -ExpandProperty UserPrincipalName
        'group'        = $group | Select-Object -ExpandProperty DisplayName
        'user_enabled' = $user  | Select-Object -ExpandProperty AccountEnabled
    }

    $resolved_assignments.Add($obj) | Out-Null
}

foreach ($assignment in $assigned_role_assignments) {
    $user = $users | Where-Object { $_.id -eq $assignment.PrincipalId }
    $group = $groups | Where-Object { $_.id -eq $assignment.PrincipalId }

    $obj = [pscustomobject]@{
        'role'         = $roles | Where-Object { $_.id -eq $assignment.RoleDefinitionId } | Select-Object -ExpandProperty DisplayName
        'user'         = $user  | Select-Object -ExpandProperty UserPrincipalName
        'group'        = $group | Select-Object -ExpandProperty DisplayName
        'user_enabled' = $user  | Select-Object -ExpandProperty AccountEnabled
    }

    $resolved_assignments.Add($obj) | Out-Null
}

Write-Output $resolved_assignments

I hope this makes your life a little simpler 😉

Weekly digest for twitter with Logic Apps

To keep your readers up to date and to deliver constant social media activity, it's a great idea to provide weekly digests to your readers. And what could be better to get the job done than Azure Logic Apps ;)

Exchange hybrid user migration

During an Exchange online migration, some preparations must take plce in advance so users can be migrated easily to the cloud.\nA typical error in the mailbox migration process occurs because of the mail domain (property: smtp/proxyaddresses) with the message "Target mailbox doesn't have an smtp proxy".