M365Corner
M365 PowerShell

List All Global Administrators in Microsoft 365 Using Graph PowerShell (with License Status)

The Global Administrator role is the most powerful role in a Microsoft 365 tenant. These accounts have unrestricted access to all settings and data. Regularly auditing these users is crucial for maintaining security, compliance, and governance.

In this article, you'll learn how to use Graph PowerShell to fetch all users assigned to the Global Administrator role and list them alongside their license status.


The Script: Fetch Global Admin Users with License Status

# Connect to Microsoft Graph with necessary scopes
Connect-MgGraph -Scopes "RoleManagement.Read.Directory", "Directory.Read.All", "User.Read.All"
                                
# Get the 'Global Administrator' role by display name
$globalAdminRole = Get-MgDirectoryRole -All | Where-Object { $_.DisplayName -eq "Global Administrator" }
                                
if (-not $globalAdminRole) {
Write-Host "Global Administrator role is not currently activated in your tenant." -ForegroundColor Yellow
return
}
                                
# Fetch all members of the Global Administrator role
$globalAdmins = Get-MgDirectoryRoleMember -DirectoryRoleId $globalAdminRole.Id -All
                                
# Initialize result array
$results = @()
                                
foreach ($member in $globalAdmins) {
if ($member.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.user") {
$user = Get-MgUser -UserId $member.Id -Property DisplayName, UserPrincipalName, AssignedLicenses
                                
# Determine license status
$licenseStatus = if ($user.AssignedLicenses.Count -gt 0) { "Licensed" } else { "Unlicensed" }
                                
$results += [PSCustomObject]@{
'Admin Name'          = $user.DisplayName
'User Principal Name' = $user.UserPrincipalName
'License Status'      = $licenseStatus
'Admin Role Assigned' = "Global Administrator"
}
}
}
                                
# Output to console
if ($results.Count -eq 0) {
Write-Host "No users found with the Global Administrator role." -ForegroundColor Yellow
} else {
$results | Sort-Object 'Admin Name' | Format-Table -AutoSize
}

How the Script Works

Here's a step-by-step breakdown of what the script does:

  1. Establishes Connection:

    2. Uses Connect-MgGraph with required delegated scopes to access user and role data.

  2. Retrieves the Global Administrator Role:

    3. Uses Get-MgDirectoryRole -All to find the active role titled "Global Administrator".

  3. Gets Role Members:

    4. Pulls members of the Global Admin role using Get-MgDirectoryRoleMember. Only members with an @odata.type of #microsoft.graph.user are considered.

  4. Fetches User Details:

    5. For each admin user, it retrieves:

    • DisplayName
    • UserPrincipalName
    • AssignedLicenses
  5. Determines License Status:

    6. If the AssignedLicenses collection is empty, the user is marked as Unlicensed.

  6. Displays the Results:

    7. Outputs a clean table sorted by Admin Name.


Further Enhancements

You can extend this script further to include:

  • Account Enabled Status:
    • 'Sign In Status' = if ($user.AccountEnabled) { "Enabled" } else { "Disabled" }
  • Export to CSV:
    • $results | Export-Csv -Path "GlobalAdmins.csv" -NoTypeInformation
  • Include Last Sign-In Info (if available via SignInActivity property):
    • -Property SignInActivity
  • Filter by Domain:

    • Only show Global Admins from a specific subdomain:

    Where-Object { $_.UserPrincipalName -like "*@yourdomain.com" }

Possible Errors & Solutions

Error Message Cause Solution
Global Administrator role is not currently activated Role hasn’t been used yet Assign a user to it or activate it in Entra ID
Access denied when retrieving members Missing delegated permission Ensure you use Directory.Read.All and RoleManagement.Read.Directory scopes
@odata.type not accessible Returned object isn't a user Use .AdditionalProperties.'@odata.type' to check before processing
AssignedLicenses is null or missing User data missing or restricted Ensure correct API permissions and avoid guest/service principals

Use Cases

This script is a perfect fit for:

  • Security Reviews: Audit who has the most privileged access in your tenant.
  • Compliance Checks: Prove licensed and active Global Admins during an audit.
  • Admin Licensing Insights: Ensure Global Admins are assigned valid licenses.
  • Role Management Dashboards: Feed into Power BI for ongoing governance.
  • Orphaned Admin Detection: Spot unlicensed or misconfigured high-privilege accounts.

Conclusion

Monitoring Global Administrator accounts is a must-do for every Microsoft 365 administrator. These users have the keys to your tenant, and mismanaging them can expose you to major security risks.

This Graph PowerShell script gives you clear, structured visibility into who your Global Admins are, along with their license state—an essential insight for staying compliant and secure.


Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                

                

                

                

                

            

        

    


 
            

        

    

    
    
    
    

        

            © m365corner.com. All Rights Reserved.
            Design by HTML Codex