Get-MgDirectoryRoleTemplate Graph PowerShell Cmdlet Guide
Microsoft Graph PowerShell provides powerful cmdlets to manage Azure Active Directory (AAD) and Microsoft 365 services. One such cmdlet is Get-MgDirectoryRoleTemplate, which allows you to retrieve all available directory role templates. These templates define the built-in roles that can be activated in your directory.
This guide explores the cmdlet's syntax, usage examples, practical tips, use cases, potential errors, and solutions.
Cmdlet Syntax
Get-MgDirectoryRoleTemplateThis cmdlet does not take any mandatory parameters. It retrieves all directory role templates defined by Microsoft.
Usage Examples
Retrieve All Directory Role Templates
Get-MgDirectoryRoleTemplate
This command fetches all the role templates available in Azure AD.
Display Role Templates with Display Name and Description
Get-MgDirectoryRoleTemplate | Select-Object DisplayName, Description
This filters the output to show only the role name and its description.
Filter Templates by Display Name
Get-MgDirectoryRoleTemplate | Where-Object { $_.DisplayName -like "*Global*" }
Returns all templates that contain "Global" in their name.
Get a Specific Role Template by ID
$templateId = "62e90394-69f5-4237-9190-012177145e10"
Get-MgDirectoryRoleTemplate | Where-Object { $_.Id -eq $templateId }
Returns the role template with the specified ID (e.g., Global Administrator).
Export All Templates to CSV
Get-MgDirectoryRoleTemplate | Select-Object Id, DisplayName, Description | Export-Csv -Path "RoleTemplates.csv" -NoTypeInformationThis is useful for documentation or auditing purposes.
Cmdlet Tips
- You cannot assign roles directly using the templates. Templates define roles that can be activated using New-MgDirectoryRole.
- Use this cmdlet when setting up role-based access or reviewing security settings in your tenant.
- Combine it with Get-MgDirectoryRole to compare active roles vs available templates.
Common Use Cases
| Scenario | How Get-MgDirectoryRoleTemplate Helps |
| Security Reviews | Understand all built-in roles that can be activated in your tenant. |
| Documentation | Export and document all possible directory roles. |
| Role Planning | Determine which roles should be enabled and assigned to users. |
| Testing Access Scenarios | Check templates before using New-MgDirectoryRole to activate a new role |
Possible Errors & Solutions
| Error | Cause | Solution |
| Error: Get-MgDirectoryRoleTemplate : Access Denied | Insufficient permissions (e.g., not a privileged role). | Ensure the user account has the Directory.Read.All or RoleManagement.Read.Directory permission. |
| Error: Get-MgDirectoryRoleTemplate : The term is not recognized | Microsoft.Graph module not installed or imported. | Install or import the Graph module: Install-Module Microsoft.Graph -Scope CurrentUser Import-Module Microsoft.Graph |
| Error: No results returned | A filter or pipe command may have excluded results. | Run the cmdlet standalone to confirm output, then apply filters: Get-MgDirectoryRoleTemplate |
Conclusion
The Get-MgDirectoryRoleTemplate cmdlet is a foundational tool for administrators looking to explore and understand the roles available in Microsoft 365. It provides visibility into all directory role templates, enabling better planning and governance of role-based access in your Azure AD environment.
For extended use, combine it with Enable-MgDirectoryRole and Get-MgDirectoryRole to activate and assign these roles effectively.