Share via

Fetching All Directory Roles Assigned to Users Using PowerShell

VJ 25 Reputation points
2025-01-13T06:09:47.12+00:00

Hi,

I am developing a function to retrieve directory roles assigned to a user and get details based on the user ID, including whether the roles are assigned as eligible or active. I have been using, which provides the information in the format I need, but it only returns details for 4 out of the 7 roles assigned to the users.

I am looking for a PowerShell CLI command in Azure Graph API or an API that can be invoked to fetch all directory role details by user ID. Any assistance or solutions would be greatly appreciated. Please feel free to ask for further clarification if needed. Thank you.

thank you

vj

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,766 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,796 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,730 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,825 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tasadduq Burney 8,681 Reputation points MVP
    2025-01-13T10:25:44.03+00:00

    Hello VJ!

    Welcome to Microsoft QnA! Hope you are doing well! 😊

    To fetch all directory roles assigned to a user in Azure AD, including whether the roles are eligible or active, you can use the Azure AD PowerShell module or the Microsoft Graph API. It sounds like you're encountering a limitation with the current command, which may not be returning all roles due to pagination or query restrictions.

    Here’s a PowerShell script using the AzureAD module to fetch all the directory roles assigned to a user:

    
Install-Modu
$userId = "<UserObjectID>"
$roles = Get-AzureADUserAppRoleAssignment -ObjectId $userId

# Fetch details of the roles
$roles | ForEach-Object {
    $role = Get-AzureADDirectoryRole | Where-Object { $_.ObjectId -eq $_.DirectoryRoleId }
    $role
}

    This script will retrieve all roles assigned to the specified user and display them. However, if you're still not getting all the roles, make sure to check if there is any paging or limitation in the API response.

    If you're using the Microsoft Graph API, you can use this endpoint to get role assignments:

    
GET https://graph.microsoft.com/v1.0/users/{userId}/appRoleAssignments

    To make sure you're getting all the roles, ensure you handle pagination if the response is too large.

    Let me know if this works for you or if you need further assistance! 😊

    Please Upvote and Accept the Answer if it helps!

    Thanks & Regards,

    Tasadduq Burney

    (Microsoft MVP & MCT)

    (Azure 15x)

  2. Navya 14,220 Reputation points Microsoft Vendor
    2025-01-13T12:06:27.5566667+00:00

    Hi @VJ

    Thank you for posting this in Microsoft Q&A.

    I understand that you want to fetch all active and eligible directory roles for a user using PowerShell.

    Use the following commands to get active and eligible role assignments in Microsoft Entra ID:

    Install-Module Microsoft.Graph.Identity.Governance

    Import-Module Microsoft.Graph.Identity.Governance

    Connect-MgGraph -Scopes RoleManagement.Read.Directory, Directory.Read.All

    Use Get-MgRoleManagementDirectoryRoleEligibilitySchedule to get eligible roles and Get-MgRoleManagementDirectoryRoleAssignmentSchedule to retrieve active roles.

    If you are facing the same issue with the above commands, please share your script so I can look into it.

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

  3. Vasil Michev 111.7K Reputation points MVP
    2025-01-13T16:45:01.1966667+00:00

    There is no single cmdlet that can give you all that. The closest you can get is to leverage the Get-MgBetaRoleManagementDirectoryTransitiveRoleAssignment cmdlet, which can be used to list all active directory role assignments, including those scoped to administrative units and those where the role is indirectly assigned to the user via group membership.

    Get-MgBetaRoleManagementDirectoryTransitiveRoleAssignment -Filter "principalId eq 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'"  -ConsistencyLevel eventual

    Do note that you need to use /beta here, and also the consistencyLevel:eventual header.

    To also include PIM eligible roles, you need the Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule cmdlet:

    Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "principalId eq 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'"
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.