Edit

Share via

Get-EntraDirectoryRoleAssignment

Module:
Microsoft.Entra Module v1.1

Get a Microsoft Entra ID roleAssignment.

Syntax

GetQuery (Default) 

Get-EntraDirectoryRoleAssignment

    [-Top <Int32>]
    [-All]
    [-Filter <String>]
    [-Property <String[]>]
    [<CommonParameters>]

GetValue 

Get-EntraDirectoryRoleAssignment

    [-All]
    [-Property <String[]>]
    [<CommonParameters>]

GetById 

Get-EntraDirectoryRoleAssignment

    -UnifiedRoleAssignmentId <String>
    [-All]
    [-Property <String[]>]
    [<CommonParameters>]

Description

The Get-EntraDirectoryRoleAssignment cmdlet gets information about role assignments in Microsoft Entra ID. To get a role assignment, specify the UnifiedRoleAssignmentId parameter. Specify the SearchString or Filter parameter to find a particular role assignment.

In delegated scenarios with work or school accounts, the signed-in user must have a supported Microsoft Entra role or a custom role with one of the following permissions:

  • microsoft.directory/roleAssignments/standard/read (least privileged)
  • microsoft.directory/roleAssignments/allProperties/read
  • microsoft.directory/roleAssignments/allProperties/allTasks

The least privileged roles for this operation, from least to most privileged, are:

  • Directory Readers
  • Global Reader
  • Privileged Role Administrator

Examples

Example 1: Get role assignments

Connect-Entra -Scopes 'RoleManagement.Read.Directory', 'EntitlementManagement.Read.All'
Get-EntraDirectoryRoleAssignment

Id                                      PrincipalId                           RoleDefinitionId                    DirectoryScopeId AppScopeId
--                                      -----------                           ----------------                    ---------------- ----------
00001111-aaaa-2222-bbbb-3333cccc4444          aaaaaaaa-bbbb-cccc-1111-222222222222  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /
11112222-bbbb-3333-cccc-4444dddd5555          bbbbbbbb-cccc-dddd-2222-333333333333  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /
22223333-cccc-4444-dddd-5555eeee6666          cccccccc-dddd-eeee-3333-444444444444  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /
33334444-dddd-5555-eeee-6666ffff7777          dddddddd-eeee-ffff-4444-555555555555  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /
44445555-eeee-6666-ffff-7777aaaa8888          eeeeeeee-ffff-aaaa-5555-666666666666  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /

This command gets the role assignments in Microsoft Entra ID.

Example 2: Get role assignments using 'All' parameter

Connect-Entra -Scopes 'RoleManagement.Read.Directory', 'EntitlementManagement.Read.All'
Get-EntraDirectoryRoleAssignment -All

Id                                      PrincipalId                           RoleDefinitionId                    DirectoryScopeId AppScopeId
--                                      -----------                           ----------------                    ---------------- ----------
00001111-aaaa-2222-bbbb-3333cccc4444          aaaaaaaa-bbbb-cccc-1111-222222222222  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /
11112222-bbbb-3333-cccc-4444dddd5555          bbbbbbbb-cccc-dddd-2222-333333333333  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /
22223333-cccc-4444-dddd-5555eeee6666          cccccccc-dddd-eeee-3333-444444444444  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /
33334444-dddd-5555-eeee-6666ffff7777          dddddddd-eeee-ffff-4444-555555555555  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /
44445555-eeee-6666-ffff-7777aaaa8888          eeeeeeee-ffff-aaaa-5555-666666666666  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /

This command gets all the role assignments in Microsoft Entra ID.

Example 3: Get role assignments by Id

Connect-Entra -Scopes 'RoleManagement.Read.Directory', 'EntitlementManagement.Read.All'
$user = Get-EntraUser -UserId 'SawyerM@contoso.com'
$role = Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'"
$assignment = Get-EntraDirectoryRoleAssignment -All | Where-Object { $_.principalId -eq $user.Id -AND $_.RoleDefinitionId -eq $role.Id }
Get-EntraDirectoryRoleAssignment -UnifiedRoleAssignmentId $assignment.Id

Id                                      PrincipalId                           RoleDefinitionId                    DirectoryScopeId AppScopeId
--                                      -----------                           ----------------                    ---------------- ----------
00001111-aaaa-2222-bbbb-3333cccc4444           aaaaaaaa-bbbb-cccc-1111-222222222222  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /

This command gets the role assignments using specified roleAssignment Id.

  • UnifiedRoleAssignmentId parameter specifies the roleAssignment object ID.

Example 4: Get role assignments filter by principalId

Connect-Entra -Scopes 'RoleManagement.Read.Directory', 'EntitlementManagement.Read.All'
$userId = (Get-EntraUser -UserId 'SawyerM@contoso.com').Id
Get-EntraDirectoryRoleAssignment -Filter "principalId eq '$userId'"

Id                                      PrincipalId                           RoleDefinitionId                    DirectoryScopeId AppScopeId
--                                      -----------                           ----------------                    ---------------- ----------
00001111-aaaa-2222-bbbb-3333cccc4444           aaaaaaaa-bbbb-cccc-1111-222222222222  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /
11112222-bbbb-3333-cccc-4444dddd5555           aaaaaaaa-bbbb-cccc-1111-222222222222  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /

This command gets the role assignments containing the specified principalId.

Example 5: Get role assignments filter by roleDefinitionId

Connect-Entra -Scopes 'RoleManagement.Read.Directory', 'EntitlementManagement.Read.All'
$roleId = (Get-EntraDirectoryRoleDefinition -Filter "DisplayName eq 'Helpdesk Administrator'").Id
Get-EntraDirectoryRoleAssignment -Filter "roleDefinitionId eq '$roleId'"

Id                                      PrincipalId                           RoleDefinitionId                    DirectoryScopeId AppScopeId
--                                      -----------                           ----------------                    ---------------- ----------
00001111-aaaa-2222-bbbb-3333cccc4444          aaaaaaaa-bbbb-cccc-1111-222222222222  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /
11112222-bbbb-3333-cccc-4444dddd5555          bbbbbbbb-cccc-dddd-2222-333333333333  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /
22223333-cccc-4444-dddd-5555eeee6666          cccccccc-dddd-eeee-3333-444444444444  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /
33334444-dddd-5555-eeee-6666ffff7777          dddddddd-eeee-ffff-4444-555555555555  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /
44445555-eeee-6666-ffff-7777aaaa8888          eeeeeeee-ffff-aaaa-5555-666666666666  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /

This command gets the role assignments containing the specified roleDefinitionId.

Example 6: Get top two role assignments

Connect-Entra -Scopes 'RoleManagement.Read.Directory', 'EntitlementManagement.Read.All'
Get-EntraDirectoryRoleAssignment -Top 2

Id                                      PrincipalId                           RoleDefinitionId                    DirectoryScopeId AppScopeId
--                                      -----------                           ----------------                    ---------------- ----------
00001111-aaaa-2222-bbbb-3333cccc4444          aaaaaaaa-bbbb-cccc-1111-222222222222  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /
11112222-bbbb-3333-cccc-4444dddd5555           bbbbbbbb-cccc-dddd-2222-333333333333  a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  /

This command gets top two role assignments. You can use -Limit as an alias for -Top.

Parameters

-All

List all pages.

Parameter properties

Type:System.Management.Automation.SwitchParameter
Default value:False
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Filter

The OData v4.0 filter statement. Controls which objects are returned.

Parameter properties

Type:System.String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

GetQuery
Position:Named
Mandatory:False
Value from pipeline:True
Value from pipeline by property name:True
Value from remaining arguments:False

-Property

Specifies properties to be returned

Parameter properties

Type:

System.String[]

Default value:None
Supports wildcards:False
DontShow:False
Aliases:Select

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Top

The maximum number of records to return.

Parameter properties

Type:System.Int32
Default value:None
Supports wildcards:False
DontShow:False
Aliases:Limit

Parameter sets

GetQuery
Position:Named
Mandatory:False
Value from pipeline:True
Value from pipeline by property name:True
Value from remaining arguments:False

-UnifiedRoleAssignmentId

The unique identifier of a Microsoft Entra ID roleAssignment object.

Parameter properties

Type:System.String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:Id

Parameter sets

GetById
Position:Named
Mandatory:True
Value from pipeline:True
Value from pipeline by property name:True
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Outputs

Microsoft.Open.MSGraph.Model.DirectoryRoleAssignment

Notes

Get-EntraRoleAssignment is an alias for Get-EntraDirectoryRoleAssignment.