Skip to main content

SYNOPSIS

Reports on Exchange RBAC roles and their effective membership, including groups expanded recursively.

SYNTAX

Get-ExRoleReport [[-Identity] <String>] [[-PrincipalID] <String>] [[-PrincipalDisplayName] <String>] [-OnPrem]
 [-ProgressAction <ActionPreference>] [<CommonParameters>]

DESCRIPTION

Produces a report of the membership of Exchange RBAC role groups. By default, the report contains only the roles that have at least one member. When a role member is itself a group (distribution group, mail-enabled security group, dynamic distribution group, or a nested role group), its members are resolved recursively and included in the report with DirectMember set to $false and MemberViaGroup set to the name of the group that is a direct member of the role. Circular group references are detected and skipped automatically.

EXAMPLES

EXAMPLE 1

Get-ExRoleReport
Retrieves the Exchange RBAC role report for Exchange Online, including recursive group expansion.

EXAMPLE 2

Get-ExRoleReport -Identity 'Organization Management'
Returns only the membership of the ‘Organization Management’ role group.

EXAMPLE 3

Get-ExRoleReport -PrincipalID 'alice@contoso.com'
Returns every role assignment held by alice@contoso.com (direct or via group membership).

EXAMPLE 4

Get-ExRoleReport -PrincipalDisplayName 'Alice Doe'
Returns every role assignment held by the user whose DisplayName is ‘Alice Doe’.

EXAMPLE 5

Get-ExRoleReport | Where-Object { $_.DirectMember -eq $false } | Format-Table Role, MemberName, MemberViaGroup
Lists all users/objects resolved through group membership, showing which group is a direct member of the role.

EXAMPLE 6

Get-ExRoleReport | Export-Csv -NoTypeInformation "$(Get-Date -Format yyyyMMdd)_adminRoles.csv" -Encoding UTF8
Exports the full report (including group-expanded members) to a CSV file.

PARAMETERS

-Identity

Filter the report on a specific role (matches the Role column, exact case-insensitive). 
Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-PrincipalID

Filter the report on a specific principal. Matches MemberName (alias), MemberPrimarySMTPAddres (UPN/SMTP), or MemberObjectID (ExternalDirectoryObjectId / GUID). 
Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-PrincipalDisplayName

Filter the report on a specific MemberDisplayName (exact, case-insensitive). 
Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-OnPrem

When specified, queries an on-premises Exchange server instead of Exchange Online. Group expansion is also performed for on-premises role groups. 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

[System.Collections.Generic.List[Object]] containing PSCustomObject rows with the following properties:

Role, MemberName, MemberDisplayName, MemberPrimarySMTPAddres, MemberIsDirSynced,

MemberObjectID, MemberRecipientTypeDetails, RoleDescription, DirectMember, MemberViaGroup.

NOTES

Requires ExchangeOnlineManagement module and an active Connect-ExchangeOnline session for Exchange Online. For on-premises Exchange, requires the Exchange Management Shell or the Exchange snap-in loaded. https://ps365.clidsys.com/docs/commands/Get-ExRoleReport