Tracking directory role assignments in Microsoft Entra ID is crucial for knowing who holds elevated access and maintaining least-privilege compliance. This can get complicated when numerous users, groups, and service principals exist across different environments with varying access levels. The good news is that dependable tools and methods are available to review and manage these role assignments effectively.
Connect-MgGraph -Scopes "Directory.Read.All RoleManagement.Read.Directory"
Get-MgDirectoryRoleAssignment
Get-MgDirectoryRoleAssignment -Filter "userId eq '<ObjectId>'"
Example
Retrieve the directory role assignments for a user with object ID e9b1f3a1-1234-4d56-9abc-0def12345678.
Example query:
Connect-MgGraph -Scopes "Directory.Read.All RoleManagement.Read.Directory"
Get-MgDirectoryRoleAssignment -Filter "principalId eq 'e9b1f3a1-1234-4d56-9abc-0def12345678'"
Example output:
Id: 4f3c2d1e-7890-4bcd-8a12-3456789def01
PrincipalId: e9b1f3a1-1234-4d56-9abc-0def12345678
PrincipalDisplayName: John Doe
PrincipalType: User
RoleDefinitionId: 62e90394-69f5-4237-9190-012177145e10
RoleDisplayName: Global Administrator
DirectoryScopeId: /
The syntax is as follows:
Get-MgRoleManagementDirectoryRoleAssignment
[-ExpandProperty <string[]>]
[-Property <string[]>]
[-Filter <string>]
[-Search <string>]
[-Skip <int>]
[-Sort <string[]>]
[-Top <int>]
[-ResponseHeadersVariable <string>]
[-Break]
[-Headers <IDictionary>]
[-HttpPipelineAppend <SendAsyncStep[]>]
[-HttpPipelinePrepend <SendAsyncStep[]>]
[-Proxy <uri>]
[-ProxyCredential <pscredential>]
[-ProxyUseDefaultCredentials]
[-PageSize <int>]
[-All]
[-CountVariable <string>]
[<CommonParameters>]
Example
List all role assignments where the principal is a service principal with object ID 72c3f3f9-2a17-4f55-b4b3-efb7cdb3f82e.
Example query:
Connect-MgGraph -Scopes "RoleManagement.Read.Directory"
Get-MgRoleManagementDirectoryRoleAssignment -Filter "principalId eq '72c3f3f9-2a17-4f55-b4b3-efb7cdb3f82e'"
Example output:
Id: b3f2c1d4-5678-49ef-9abc-0d12345ef678
PrincipalId: 72c3f3f9-2a17-4f55-b4b3-efb7cdb3f82e
PrincipalDisplayName: TestBot
PrincipalType: ServicePrincipal
RoleDefinitionId: 62e90394-69f5-4237-9190-012177145e10
RoleDisplayName: Global Reader
DirectoryScopeId: /
This output shows that the service principal with the ID 72c3f3f9-2a17-4f55-b4b3-efb7cdb3f82e, which is also displayed as TestBot, has been assigned the Global Reader role. The RoleDefinitionId points to that role definition, and the DirectoryScopeId set to / means the assignment applies across the entire tenant, not just a limited scope.
ADManager Plus helps Microsoft 365 admins manage users, groups, and access efficiently through a centralized interface.
Create and modify users and groups individually or in bulk. Ensure the right people have access to the right resources without leaving orphaned accounts or unused groups.
Quickly update multiple groups at once, change memberships, adjust settings, or reorganize groups to match evolving business needs.
Access over 200 prebuilt reports, including group memberships, license usage, and user activity. Gain full visibility to support audits, track access patterns, and identify anomalies.
Regularly conduct access reviews. Identify unnecessary privileges, remove outdated memberships, and maintain least-privilege access across your tenant.
Use role-based delegation to assign day-to-day admin tasks safely. Empower teams to manage groups and users while maintaining oversight and control.
Automate repetitive tasks like user provisioning, group updates, and license management. Reduce manual effort and ensure processes are consistent and timely.
Roles can be granted at different levels, so always review the scope to understand the exact boundaries of each assignment.
With Microsoft Entra ID P2, you can manage eligible versus active role assignments through PIM. This adds just-in-time access, approval workflows, and time limits to strengthen control over elevated directory roles.
Use reporting tools to consolidate directory role assignments, privileged access, and group memberships into clear, actionable reports. These help uncover over-privileged accounts, monitor changes, and simplify compliance audits.
Microsoft recommends keeping the total number of privileged role assignments in a tenant to around 60. This recommendation helps maintain a secure and manageable environment by limiting the number of users or groups with elevated administrative permissions across the organization.
You can use the Get-MgRoleManagementDirectoryRoleAssignment cmdlet in Microsoft Graph PowerShell to retrieve all directory role assignments for a specific principal (user, group, or service principal) in Microsoft Entra ID.
Example to get all role assignments for a principal by filtering on principalId:
Get-MgRoleManagementDirectoryRoleAssignment -Filter "principalId eq '<PrincipalObjectId>'
This will return a list of unified role assignment objects representing the directory roles assigned to the principal, including role ID, principal ID, and scope.
Get-MgRoleManagementDirectoryRoleAssignment provides a unified and scalable way to see who holds which roles at the directory scope, supporting governance and access audits.
For more detailed information, including role definition names or principal details, combine this command with other Graph cmdlets like Get-MgRoleManagementDirectoryRoleDefinition and Get-MgUser or Get-MgGroup.
To export and report all admin role memberships, retrieve all directory roles:
$roles = Get-MgRoleManagementDirectoryRoleDefinition
For each role, get its members:
foreach ($role in $roles) {
$members = Get-MgRoleManagementDirectoryRoleMember -RoleDefinitionId $role.Id
# Output or export members, e.g. to CSV
}