Search code examples
azuremicrosoft-graph-apiazure-powershellmicrosoft-graph-sdks

How to get members from a Custom AD role with MS Graph Powershell

I'm trying to get the members from a custom role created in the portal with MS Powershell Graph. This custom role is active and has members assigned.

I can't get a DirectoryRoleId from the custom role, if it even exists, to run the Get-MgDirectoryRoleMember.

I figured out the following:

  • Get-MgDirectoryRole retrieved all active roles, but no custom roles.
  • Get-MgDirectoryRoleTemplate Retrieved all roles including those that are not activated, but no custom roles. Total number roles 98.
  • Get-MgRoleManagementDirectoryRoleDefinition Alle roles including those that are not activated, but now including my custom role! Total number roles 99.

Unfortunately I don't get a DirectoryRoleId this way so I can't use it with Get-MgDirectoryRoleMember -DirectoryRoleId '<id>'. This cmdlet works fine with the default roles.

Am I missing another cmdlet to extract members of custom roles via MS Graph PowerShell?

Solution

  • I tried to reproduce the same in my environment and got below results:

    I created one custom directory role named "Directory Admininistrator" with below ID and permissions:

    enter image description here

    Now, I added 2 active role assignments(users) for this custom role like this:

    enter image description here

    I ran below MS Graph Powershell commands to get DirectoryRoleId from the custom directory role:

    Connect-MgGraph
Get-MgRoleManagementDirectoryRoleDefinition -Filter "(displayName eq 'Directory Admininistrator')"

    Response: enter image description here

    When I tried to get members of this custom role with below script, I got error like this:

    # Get the role definition for your custom role
$roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "(displayName eq 'Directory Admininistrator')"

# Get the members of your custom role
$roleMembers = Get-MgDirectoryRoleMember -DirectoryRoleId $roleDefinition.Id

# Display the results
$roleMembers

    Response:

    enter image description here

    AFAIK, listing members from a custom Azure AD role with Powershell is currently in Preview state that may cause error. Check this MS Doc.

    Alternatively, you can use Azure AD Powershell commands to list active role assignments of custom directory role.

    I ran below commands to get DirectoryRoleId from the custom directory role:

    Connect-AzureAD
Get-AzureADMSRoleDefinition -Filter "displayName eq 'Directory Admininistrator'"

    Response:

    enter image description here

    When I tried to get members of this custom role with below script, I got response with user IDs assigned to that role successfully like below:

    # Get the role definition for your custom role
$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Directory Admininistrator'"

# Get the members of your custom role
$roleMembers = Get-AzureADMSRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"

# Display the results
$roleMembers

    Response:

    enter image description here