Role definitions in Microsoft Entra ID specify exactly what permissions each administrative role grants. For IT admins, understanding which built-in and custom roles are available, what permissions they include, and how to retrieve them is crucial for secure and efficient governance. But there are easy and reliable methods that allow you to list quickly and review all current role definitions in your tenant.
Connect-MgGraph -Scopes "Directory.Read.All RoleManagement.Read.Directory"
Get-MgDirectoryRole
Get-MgDirectoryRole -Filter "displayName eq 'Global Administrator'"
Example query:
Connect-MgGraph -Scopes "Directory.Read.All RoleManagement.Read.Directory"
Get-MgDirectoryRole -Filter "displayName eq 'Global Administrator'"
Example output:
Id: 62e90394-69f5-4237-9190-012177145e10
DisplayName: Global Administrator
Description: Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra ID identities.
IsEnabled: True
RoleTemplateId: 62e90394-69f5-4237-9190-012177145e10
The syntax is as follows:
Get-MgRoleManagementDirectoryRoleDefinition
[-ExpandProperty <string[]>]
[-Property <string[]>]
[-Filter <string>]
[-Search <string>]
[-Skip ]
[-Sort <string[]>]
[-Top <int>]
[-ResponseHeadersVariable <string>]
[-Break]
[-Headers <IDictionary>]
[-HttpPipelineAppend <SendAsyncStep[]>]
[-HttpPipelinePrepend <SendAsyncStep[]>]
[-Proxy <uri>]
[-ProxyCredential <pscredential>]
[-ProxyUseDefaultCredentials]
[-PageSize <int>]
[-All]
[-CountVariable <string>]
[<CommonParameters>]
Example query:
Connect-MgGraph -Scopes "Directory.Read.All RoleManagement.Read.Directory"
Get-MgDirectoryRole -Filter "displayName eq 'Security Administrator'"
Example output:
Id: 194ae4cb-b126-40b2-bd5b-6091b380977d
DisplayName: Security Administrator
Description: Can manage security-related features, including conditional access and security reports.
IsEnabled: True
RoleTemplateId: 194ae4cb-b126-40b2-bd5b-6091b380977d
This role, Security Administrator, is identified by the unique Id 194ae4cb-b126-40b2-bd5b-6091b380977d. It grants permissions to manage security-related features, including conditional access and security reports. The role is currently active (IsEnabled: True) and is based on the template 194ae4cb-b126-40b2-bd5b-6091b380977d, giving admins a clear view of what it allows before assigning it.
Simplify Microsoft 365 management and reporting with ADManager Plus. Manage users, groups, and access from a single interface, automate routine tasks, and gain actionable insights with over 200 prebuilt reports, all while keeping your environment secure and compliant.
ADManager Plus gives you a single interface to manage users, groups, and access efficiently, saving time and reducing complexity.
Allow safe role-based delegation, enabling admins to assign and manage roles through controlled workflows. This reduces risk while empowering teams to handle role assignments effectively.
Streamline routine tasks such as user provisioning, group modifications, and license administration through automation. Stay compliant and audit-ready with scheduled reports, saving manual effort.
Efficiently update multiple groups at once by modifying memberships, changing configurations, or reorganizing groups to adapt quickly to evolving business needs.
Access over 200 ready-made reports on group memberships, license allocation, and user activities. Monitor access trends, facilitate audits, and detect any unusual behavior effortlessly.
Conduct regular access reviews to remove excess privileges, deactivate outdated memberships, and enforce least-privilege principles across your environment.
Role definitions describe the exact permissions granted by each administrative role in your tenant. When retrieving role definitions, focus on both permissions and the scope at which roles apply to ensure you understand their impact fully.
Start your review with Microsoft's built-in roles, which cover most common administrative needs. Create custom roles only when necessary to address special scenarios, keeping role complexity manageable and minimizing risks of over-provisioning.
Use automation tools and PowerShell cmdlets to regularly extract role definitions. Automated reports enable ongoing visibility into permission structures and help maintain compliance.
Combine role definition information with access reviews and Privileged Identity Management (PIM) workflows to enforce least privilege and just-in-time access, reducing privilege sprawl and enhancing overall security posture.
Yes, each role definition contains a set of permissions, such as read, write, or delete operations on specific resources.
To view members, you'll first need to identify the RoleDefinitionId of your custom role.
Connect-MgGraph -Scopes "RoleManagement.Read.Directory"
Get-MgRoleManagementDirectoryRoleDefinition | Where-Object {$_.DisplayName -eq "Custom Role Name"}
This will return details such as the role's Id (RoleDefinitionId). With that Id, you can then query role assignments to see which users, groups, or service principals are members.
Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '<RoleDefinitionId>'"
This way, Get-MgRoleManagementDirectoryRoleDefinition helps you confirm the role exists and retrieve its definition, while Get-MgRoleManagementDirectoryRoleAssignment gives you the actual member assignments.
To export and report all admin role memberships, retrieve all directory roles.
$roles = Get-MgRoleManagementDirectoryRoleDefinition
For each role, get its members:
foreach ($role in $roles) {
$members = Get-MgRoleManagementDirectoryRoleMember -RoleDefinitionId $role.Id
# Output or export members, e.g. to CSV
}