Skip to main content

SYNOPSIS

Get-MgRoleReport.ps1 - Reports on Microsoft Entra ID (Azure AD) roles

SYNTAX

Get-MgRoleReport [-IncludeEmptyRoles] [[-IncludePIMEligibleAssignments] <Boolean>] [-ForceNewToken]
 [-MaesterMode] [-ProgressAction <ActionPreference>] [<CommonParameters>]

DESCRIPTION

By default, the report contains only the roles with members. To get all the role, included empty roles, add -IncludeEmptyRoles $true

EXAMPLES

EXAMPLE 1

Get-MgRoleReport
Get all the roles with members, including PIM eligible assignments but without empty roles

EXAMPLE 2

Get-MgRoleReport -IncludeEmptyRoles
Get all the roles, including the ones without members

EXAMPLE 3

Get-MgRoleReport -IncludePIMEligibleAssignments $false
Get all the roles with members (without empty roles), but without PIM eligible assignments

EXAMPLE 4

Get-MgRoleReport | Export-CSV -NoTypeInformation "$(Get-Date -Format yyyyMMdd)_adminRoles.csv" -Encoding UTF8

PARAMETERS

-IncludeEmptyRoles

Switch parameter to include empty roles in the report 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-IncludePIMEligibleAssignments

Boolean parameter to include PIM eligible assignments in the report. Default is $true 
Type: Boolean
Parameter Sets: (All)
Aliases:

Required: False
Position: 1
Default value: True
Accept pipeline input: False
Accept wildcard characters: False

-ForceNewToken

Switch parameter to force getting a new token from Microsoft Graph 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-MaesterMode

Switch parameter to use with the Maester framework (internal process not presented here) 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-ProgressAction

{{ Fill ProgressAction Description }} 
Type: ActionPreference
Parameter Sets: (All)
Aliases: proga

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

The report is output to an array contained all the audit logs found.

To export in a csv, do Get-MgRoleReport | Export-CSV -NoTypeInformation ”$(Get-Date -Format yyyyMMdd)_adminRoles.csv” -Encoding UTF8

NOTES

Written by Bastien Perez (Clidsys.com - ITPro-Tips.com) For more Office 365/Microsoft 365 tips and news, check out ITPro-Tips.com. Version History:

[1.8.2] - 2025-10-17

Changed

  • Fix onPremisesSyncEnabled property

[1.8.1] - 2025-10-17

Added

  • Add RecommendationSync property

[1.8.0] - 2025-10-08

Added

  • Add IncludeEmptyRoles switch parameter to get all roles, even the ones without members

Changed

  • Use List for mgRoles for better performance

[1.7.0] - 2025-04-04

Changed

  • Add scopes for RoleManagement.Read.All and AuditLog.Read.All permissions

[1.6] - 2025-02-26

Changed

  • Add permissionsNeeded variable
  • Add onpremisesSyncEnabled property for groups
  • Add all type objects in the cache array
  • Add LastNonInteractiveSignInDateTime property for users

[1.5.0] - 2025-02-25

Changed

  • Always return true or false for onPremisesSyncEnabled properties
  • Fix issues with objectsCacheArray that was not working
  • Sign-in activity tracking for service principals

Plannned for next release

  • Switch to Invoke-MgGraphRequest instead of Get-Mg* CMDlets

[1.4.0] - 2025-02-13

Added

  • Sign-in activity tracking for users
  • Account enabled status.
  • On-premises sync enabled status.
  • Remove old parameters
  • Test if already connected to Microsoft Graph and with the right permissions

[1.3.0] - 2024-05-15

Changed

  • Changes not specified.

[1.2.0] - 2024-03-13

Changed

  • Changes not specified.

[1.1.0] - 2023-12-01

Changed

  • Changes not specified.

[1.0.0] - 2023-10-19

Initial Release

https://itpro-tips.com/get-the-office-365-admin-roles-and-track-the-changes/