Get-MgRoleManagementDirectoryRoleEligibilitySchedule: Graph PowerShell Cmdlet
In Microsoft Entra ID (Azure AD), Privileged Identity Management (PIM) plays a crucial role in controlling and auditing access to directory roles. One important aspect of PIM is understanding who is eligible for privileged roles and under what conditions.
The Get-MgRoleManagementDirectoryRoleEligibilitySchedule cmdlet helps administrators retrieve role eligibility schedules, giving visibility into users or principals who are eligible to activate directory roles.
This cmdlet is especially useful for access reviews, security audits, and compliance reporting.
đ Community Edition Released!
Try the M365Corner Microsoft 365 Reporting Tool â your DIY pack with 20+ out-of-the-box M365 reports for Users, Groups, and Teams.
i) Cmdlet Syntax
Get-MgRoleManagementDirectoryRoleEligibilityScheduleThis cmdlet does not require mandatory parameters. It retrieves role eligibility schedules across the tenant.
ii) Usage Examples
Example 1: Running the cmdlet without any parameters
Get-MgRoleManagementDirectoryRoleEligibilitySchedule
Explanation:
Returns all directory role eligibility schedules in the tenant. The output includes details such as role definition, principal ID, assignment state, and modification timestamps.
Example 2: Selecting only specific properties
Get-MgRoleManagementDirectoryRoleEligibilitySchedule |Select Id, ModifiedDateTime, PrincipalId
Explanation:
Retrieves role eligibility schedules and displays only the most relevant properties, making the output easier to read and suitable for quick reviews.
Example 3: Exporting the results to CSV
Get-MgRoleManagementDirectoryRoleEligibilitySchedule |Export-Csv d:/RoleManagementDirectoryRoleEligibilitySchedule.csvExplanation:
Exports all role eligibility schedule data to a CSV file. This is useful for audits, offline analysis, or sharing reports with security and compliance teams.
iii) Cmdlet Tips
- This cmdlet focuses on role eligibility, not active role assignments. Use related role assignment cmdlets for active roles.
- Combine with Select-Object to reduce noise and improve readability.
- Ideal for PIM audits to verify who is eligible for sensitive directory roles.
- Exporting to CSV makes it easy to integrate results into audit evidence or compliance documentation.
iv) Possible Errors & Solutions
| Error / Message | Cause | Solution |
| Authorization_RequestDenied | Insufficient permissions | Ensure RoleManagement.Read.Directory or Directory.Read.All is granted with admin consent. |
| Cmdlet not recognized | Microsoft.Graph module missing | Install or update the module using Install-Module Microsoft.Graph. |
| Empty output | No role eligibility schedules configured | Verify that PIM role eligibility is enabled and configured in the tenant. |
| CSV export fails | Invalid file path | Ensure the destination path exists and you have write permissions. |
v) Conclusion
The Get-MgRoleManagementDirectoryRoleEligibilitySchedule cmdlet provides administrators with valuable insight into who is eligible for privileged directory roles in Microsoft Entra ID. By leveraging this cmdlet, you can strengthen governance, support audits, and maintain better visibility into PIM configurations across your tenant.