Introduction
Managing security in Entra ID isn’t getting any simpler. Each year brings new features, roles, and permissions. Manual checks and portal browsing don’t cut it anymore – you need automation to stay on top of who has access to what.
Regular role audits help catch security gaps before they become problems. But clicking through the portal for hours isn’t the best use of your time. Let’s fix that with Microsoft Graph PowerShell.
Prerequisites
First, you’ll need the Microsoft Graph PowerShell module and the right permissions:
Install-Module Microsoft.Graph -Force -Verbose
To list all roles, you need one of these permissions:
- RoleManagement.Read.Directory or Directory.Read.All
- User.Read or User.Read.All
**Note:** The permissions you need depend on whether you’re using delegated (signed-in user) or application permissions – always check Microsoft’s documentation and follow the principle of least privilege to avoid over-permissioning your scripts.
List All Entra ID Roles
Here’s how to get all roles in your tenant:
# Get all directory roles
$Roles = Get-MgRoleManagementDirectoryRoleDefinition
# Create role report with key properties
$RoleReport = [System.Collections.Generic.List[PSCustomObject]]::new()
foreach ($Role in $Roles) {
$RoleReport.Add([PSCustomObject]@{
DisplayName = $Role.DisplayName
Description = $Role.Description
Id = $Role.Id
IsEnabled = $role.IsEnabled
IsBuiltIn = $Role.IsBuiltIn
})
}
# Export to CSV
$ReportPath = ".\EntraRoles_$(Get-Date -Format 'yyyy-MM-dd').csv"
$RoleReport | Export-Csv -Path $ReportPath -NoTypeInformation -Delimiter ";"
Write-Output "Found $($Roles.Count) roles. Report exported to: $ReportPath"
Bonus: Get Role Assignments
Want to see who has which roles? Here’s an extended script that combines role listing with active assignments:
# Get all directory roles
$Roles = Get-MgRoleManagementDirectoryRoleDefinition
Write-Host "Found $($Roles.Count) directory roles"
# Initialize array for role assignments
$RoleAssignments = [System.Collections.Generic.List[PSCustomObject]]::new()
# Process each role
foreach ($Role in $Roles) {
# Get assignments for current role
$Assignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($Role.Id)'" -ErrorAction Stop
foreach ($Assignment in $Assignments) {
# Get user info
$User = Get-MgUser -UserId $Assignment.PrincipalId -ErrorAction SilentlyContinue
If($User) {
$RoleAssignments.Add([PSCustomObject]@{
RoleName = $Role.DisplayName
RoleDescription = $Role.Description
UserDisplayName = $User.DisplayName
UserPrincipalName = $User.UserPrincipalName
AssignmentId = $Assignment.Id
AssignmentCreatedDateTime = $Assignment.CreatedDateTime
})
}
}
}
# Export results
$ReportPath = ".\RoleAssignments_$(Get-Date -Format 'yyyy-MM-dd').csv"
$RoleAssignments | Export-Csv -Path $ReportPath -NoTypeInformation
Write-Output "Report exported to: $ReportPath"
What You Get
The first script gives you:
- List of all roles in your tenant
- Role descriptions and IDs
- Built-in vs custom role flags
The bonus script adds:
- Active role assignments
- User details for each assignment
- Assignment creation dates
Want More?
You can extend these scripts to:
- Track role changes
- Monitor privileged assignments
- Create compliance reports
- Build automated security checks
The Microsoft Graph PowerShell module offers many more cmdlets to build your own Entra ID management solution.
Summary
Now you know how to list Entra ID roles and their assignments using Microsoft Graph PowerShell. These scripts give you the foundation for automating your identity management tasks – from basic role auditing to detailed assignment tracking.
Remember, the key is to start simple and build up based on your needs. Whether you’re doing a quick role check or building a complete audit system, Microsoft Graph PowerShell has you covered.
Want More Premium Solutions?
Get weekly automation scripts, security templates, and expert guides by joining our Premium Membership.
