M365Corner
PowerShell

Get-MgRoleManagementDirectoryRoleAssignment – View Directory Role Assignments in Microsoft 365

The Get-MgRoleManagementDirectoryRoleAssignment cmdlet is a powerful Graph PowerShell tool that allows administrators to retrieve role assignments within the Microsoft Entra (Azure AD) directory. This includes identifying who has been assigned to which role, a crucial aspect of enforcing least privilege and auditing access in any Microsoft 365 environment.

This article dives into the cmdlet’s syntax, real-world usage examples, admin tips, and more.


Cmdlet Syntax

Get-MgRoleManagementDirectoryRoleAssignment [-UnifiedRoleAssignmentId <String>] [-Filter <String>] [-All]

Key Parameters:

  • -UnifiedRoleAssignmentId: Fetches a specific role assignment by its unique ID.
  • -Filter: Allows filtering of results using supported OData filter queries.
  • -All: Retrieves all records without pagination.
  • -Top: Limits the number of returned results.

Usage Examples

Example 1: Fetch All Role Assignments

Get-MgRoleManagementDirectoryRoleAssignment -All

This lists all current role assignments in your tenant, across all roles and users.

Example 2: Fetch a Specific Role Assignment by ID

Get-MgRoleManagementDirectoryRoleAssignment -UnifiedRoleAssignmentId "RhIJaeggVkqqTQZgdbKnqLD_j_s5eBFImpF5Q7fm2iU-1"

This retrieves details of a specific assignment, useful for audits or verifying role access.

Example 3: Filter Role Assignments by Principal ID

Get-MgRoleManagementDirectoryRoleAssignment -Filter "principalId eq 'b1368af9-0f0a-41cf-85b7-63ef13eabc87'" -All

This filters role assignments where the user, group, or service principal ID matches the specified value.

Cmdlet Tips

  • Always use -All to ensure you retrieve full results, as the API paginates data by default.
  • Use the principalId to identify who is assigned the role (you can map this ID to a user via Get-MgUser).
  • You can also filter using roleDefinitionId if you want to target specific roles like Global Admin, User Administrator, etc.
  • Requires RoleManagement.Read.Directory or Directory.Read.All permissions.

Use Cases

  • Access Auditing: Identify which users or service principals have been assigned elevated directory roles.
  • Compliance & Governance: Generate reports for internal/external audits showing role-based access assignments.
  • Privilege Reviews: Ensure that sensitive roles like Global Administrator, Conditional Access Admin, or Application Admin are only assigned to trusted identities.
  • Troubleshooting Permissions: If a user unexpectedly has elevated access, this cmdlet helps trace it back to a role assignment.

Possible Errors & Solutions

Error Cause Solution
Access Denied or Insufficient privileges to complete the operation. You don't have the necessary Graph API permissions. Use an account with RoleManagement.Read.Directory or Directory.Read.All scopes.
Cannot bind parameter because parameter 'UnifiedRoleAssignmentId' is null or empty. You passed a blank or invalid ID to the -UnifiedRoleAssignmentId parameter. Ensure you pass a valid ID string for that parameter.
The term 'Get-MgRoleManagementDirectoryRoleAssignment' is not recognized... Module or cmdlet not installed. Run Install-Module Microsoft.Graph -Scope CurrentUser and import it again.

FAQs

How do I find out what a specific role assignment ID refers to?

Use Get-MgRoleManagementDirectoryRoleAssignment -UnifiedRoleAssignmentId to get the assignment, then map principalId to the user or group with Get-MgUser or Get-MgGroup.

Can I find all users with a specific role like Global Administrator?

Yes! First, use Get-MgRoleManagementDirectoryRoleDefinition to get the roleDefinitionId for "Global Administrator", then filter:

Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '...' " -All

Is this the same as role assignments shown in the Entra admin center?

Yes. This cmdlet retrieves the same underlying data that appears in Microsoft Entra ID → Roles and Administrators → Role assignments.

Conclusion

The Get-MgRoleManagementDirectoryRoleAssignment cmdlet is essential for any Microsoft 365 administrator looking to monitor, audit, or report on directory role assignments. It offers flexibility to query everything from all assignments to specific users or roles, giving you clear insight into who has access to what in your tenant.

By combining this cmdlet with others like Get-MgUser, Get-MgGroup, and Get-MgRoleManagementDirectoryRoleDefinition, you can build a powerful admin access monitoring system.


Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                

                

                

                

                

            

        

    


 
            

        

    

    
    
    

        

            © m365corner.com. All Rights Reserved.
            Design by HTML Codex