How to Use Get-MgRoleManagementDirectoryRoleAssignment to Retrieve Azure AD Role Assignments?

When managing Microsoft Entra ID (formerly Azure AD), one of the most important administrative tasks is keeping track of who has which roles — especially at the directory level. Whether you’re running audits, reviewing access controls, or troubleshooting permissions, knowing how to retrieve these role assignments is crucial.

This blog will walk you through how to use the Get-MgRoleManagementDirectoryRoleAssignment cmdlet in Microsoft Graph PowerShell to retrieve and understand Azure AD directory role assignments in a clear and straightforward way.

What is Get-MgRoleManagementDirectoryRoleAssignment?

Get-MgRoleManagementDirectoryRoleAssignment is a Microsoft Graph PowerShell cmdlet that allows you to retrieve all role assignments made at the directory scope in Microsoft Entra ID.

Each assignment links:

• A principal (user, group, or service principal)
• To a role (like Global Administrator or User Administrator)
• Within a specific scope (usually the tenant itself)

This cmdlet helps answer questions like:

• “Who has the Global Administrator role?”
• “Which users are assigned to the Helpdesk Administrator role?”

Why Use Get-MgRoleManagementDirectoryRoleAssignment?

Here’s why this cmdlet is a must-have in your admin toolkit:

• 🔐 Security Audits – View all users with elevated privileges in your tenant.
• 📊 Reporting – Create detailed access reports for compliance.
• 🛠️ Troubleshooting – Identify missing or incorrect role assignments.
• 👥 Access Reviews – Track who has access to sensitive roles.

If you're aiming for least-privilege access, periodic reviews using this cmdlet are a best practice.

Cmdlet Syntax

Get-MgRoleManagementDirectoryRoleAssignment

To get a specific role assignment by ID:

Get-MgRoleManagementDirectoryRoleAssignment -UnifiedRoleAssignmentId "<Assignment-ID>"

Usage Examples

Get All Directory Role Assignments

Get-MgRoleManagementDirectoryRoleAssignment |
Select-Object Id, RoleDefinitionId, PrincipalId, DirectoryScopeId

This command fetches all role assignments across the tenant. You can use RoleDefinitionId to find the role name and PrincipalId to identify the assigned user or group.

Get a Specific Role Assignment by ID

Get-MgRoleManagementDirectoryRoleAssignment -UnifiedRoleAssignmentId "lAPpYvVpN0KRkAEhdxReECvy-ge2vZRIgYix4HUDS_4-1"

Useful when you're tracking a specific assignment from an audit log or need to verify a known role assignment.

Frequently Asked Questions

• How do I get the role name from RoleDefinitionId?

You can retrieve it using:

Get-MgRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId ""

• How can I find out who the PrincipalId belongs to?

Try resolving the ID with:

Get-MgUser -UserId "<PrincipalId>"

Or if it’s a group:

Get-MgGroup -GroupId "<PrincipalId>"

• Can I filter assignments by role or user?

Currently, the cmdlet doesn't support -Filter directly. Instead, fetch all and filter using PowerShell:

Get-MgRoleManagementDirectoryRoleAssignment | 
Where-Object { $_.PrincipalId -eq "" }

Use Cases

Here are common scenarios where this cmdlet shines:

• 🔐 Security Reviews: List all Global Administrators to ensure only trusted personnel have access.
• 📈 Compliance Reports: Export directory-level assignments for audit trails.
• 🔍 Troubleshooting Permissions: Validate that users have (or don’t have) the expected roles.
• ✅ Access Certification: Check if temporary role assignments are still active.

Conclusion

The Get-MgRoleManagementDirectoryRoleAssignment cmdlet is your go-to command for retrieving and analyzing Azure AD directory-level role assignments. It gives you deep visibility into who has access to what — a core part of secure and compliant identity management.

By combining this cmdlet with others like Get-MgRoleManagementDirectoryRoleDefinition and Get-MgUser, you can build a complete picture of your directory’s role landscape.

Stay secure. Stay in control. Start auditing today!