In my previous posts I discussed about listing Azure AD users and groups and provided Powershell scripts to generate those quickly :
In this post I will discuss about Azure AD Roles and Administrators assigned to those roles.
As per Microsoft document – Using Azure Active Directory (Azure AD), you can designate limited administrators to manage identity tasks in less-privileged roles. Administrators can be assigned for such purposes as adding or changing users, assigning administrative roles, resetting user passwords, managing user licenses, and managing domain names. The default user permissions can be changed only in user settings in Azure AD.
Microsoft provides a list of predefined roles to correctly assign users, groups and service principals with only required access to do their job. You can also create Custom roles for administrators (currently a preview feature) if builtin roles do not meet your requirements. With custom roles you can define your own role based access control and scope to apply this role. Refer following document to learn more about it :
Custom administrator roles in Azure Active Directory
I am sharing a script today to generate list of all administrator roles in Azure AD along with members assigned to those roles. I run this script as part of my standard Azure AD reporting and auditing permissions.
Before we start, make sure, you have Powershell Az module installed and imported. Follow this document if you have any issue. We will also need Powershell AzureAD module. Use following command to install AzureAD module :
Install-Module AzureAD
#Optional - To use AzureAD preview module run following command
Install-Module AzureADPreviewNext, we will need to login to Azure AD with Connect-AzureAD Command.
Following script block will get all available Azure AD Roles and then loop through each role. Next, it will get members of each role and collect additional information about the user/service principal, including, Display Name, Email, Department, Account Status, Create date etc.
Finally, I export those details to a csv file as output. Here is my complete script for your reference :
# Define output file and remove if the same file already exists in the directory path
$currentDir = $(Get-Location).Path
$oFile = "$($currentDir)\AzureADUsersAndRoleAssignments.csv"
if(Test-Path -Path $oFile){Remove-Item $oFile -Force}
# Login to Azure AD
Connect-AzureAD
$allAZADUserWithRoleMapping = @()
# Get all Azure AD roles and loop through members of those roles
# Add user/service principal details in psObject array
Get-AzureADDirectoryRoleTemplate | ForEach-Object{
$roleName = $_.DisplayName
Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq $roleName} | ForEach-Object{
Get-AzureADDirectoryRoleMember -ObjectId $_.ObjectId | ForEach-Object{
$extProp = $_.ExtensionProperty
$objUser = New-Object psObject
$objUser | Add-Member RoleName $roleName
$objUser | Add-Member UserName $_.DisplayName
$objUser | Add-Member JobTitle $_.JobTitle
$objUser | Add-Member EMail $_.Mail
$objUser | Add-Member AccountEnabled $_.AccountEnabled
$objUser | Add-Member Department $_.Department
$objUser | Add-Member ObjectType $_.ObjectType
$objUser | Add-Member CreationDate $extProp.createdDateTime
$objUser | Add-Member EmployeeId $extProp.employeeId
$allAZADUserWithRoleMapping += $objUser
}
}
}
$allAZADUserWithRoleMapping | Export-CSV -Path $oFile -NoClobber -NoTypeInformation -Confirm:$false -Force
You will get a csv file output once it runs successfully as shown below :
