In this post we will be going through creating an automate report to list all assigned Azure roles and user/group assignments using Microsoft Graph SDK.
This can be useful for environments that haven’t implemented Microsoft privileged identity management for roles management. This can be used to keep track of roles assignments in Azure.
I will be using Microsoft Graph SDK, if you haven’t used this before I have done a previous post on installing and getting start with the Graph SDK.
I will be using a app registration in Azure AD with certificate authentication (I covered this in one of my previous posts) so I don’t have to use any username or password with the script. We will need to add the required API permission.
To find the specific commands that I needed to use, I generally search for them on the Graph module reference document link below as there are a lot of commands in the Graph SDK module.
To add the API permission logon to Azure portal
Open Azure Active Directory > App registrations
Select the Graph registration that was previously created. Under the API permissions select add permissions and add the the required application permissions to run the command.
In this case we will be using the rolemanagment.read.all
Once the API permission is added we can start to create the script.
To get the list of directory roles that are currently in use use
Get-MgDirectoryRole
Then to get the assigned objects use the below command and copy the ID to view details.
Get-MgDirectoryRoleMember -DirectoryRoleId IDValue
To view addtional values for the returned object use
(Get-MgDirectoryRoleMember -DirectoryRoleId IDValue).AdditionalProperties
The full script can be downloaded from the below github link and
Below is what the export will look like.
TheSleepyAdmins 
hi,
we command is error.
Get-MgDirectoryRole : Insufficient privileges to complete the operation.
LikeLike