Edit

Share via

Get-EntraUserCBAAuthorizationInfo

Module:
Microsoft.Entra Module v1.1

Retrieves authorization information for a Microsoft Entra ID user, including certificate-based authentication identifiers.

Syntax

Default (Default) 

Get-EntraUserCBAAuthorizationInfo

    [-UserId] <String>
    [-Raw]
    [<CommonParameters>]

Description

The Get-EntraUserCBAAuthorizationInfo cmdlet retrieves authorization information for a specified user in Microsoft Entra ID. This includes certificate user identifiers that are used for certificate-based authentication (CBA).

By default, the command returns a formatted object with parsed certificate details. You can use the -Raw parameter to get the unprocessed response from the Microsoft Graph API.

Get-EntraUserAuthorizationInfo is an alias of Get-EntraUserCBAAuthorizationInfo.

In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation:

  • Privileged Authentication Administrator (for Cloud-only users)
  • Hybrid Identity Administrator (for synchronized users)

Examples

Example 1: Get authorization information for a user by User Principal Name

Connect-Entra -Scopes 'User.Read.All'
Get-EntraUserCBAAuthorizationInfo -UserId 'SawyerM@contoso.com'

Id                : aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
DisplayName       : Sawyer Miller
UserPrincipalName : SawyerM@contoso.com
UserType          : Member
AuthorizationInfo : @{CertificateUserIds=System.Object[]; RawAuthorizationInfo=System.Collections.Hashtable}

This command retrieves the authorization information for the user with the specified User Principal Name.

Example 2: Retrieve authorization information for a user

Connect-Entra -Scopes 'User.Read.All'
$userInfo = Get-EntraUserCBAAuthorizationInfo -UserId 'SawyerM@contoso.com'
$userInfo.AuthorizationInfo.CertificateUserIds | Format-Table Type, TypeName, Value

Type TypeName      Value
---- --------      -----
PN   PrincipalName sawyerm@marketing.contoso.com
S    Subject       CN=sawyerm@marketing.contoso.com

This example retrieves the authorization information.

Example 3: Extract specific certificate user IDs

Connect-Entra -Scopes 'User.Read.All'
$userInfo = Get-EntraUserCBAAuthorizationInfo -UserId 'SawyerM@contoso.com'
$userInfo.AuthorizationInfo.CertificateUserIds | Where-Object Type -eq "PN" | Select-Object -ExpandProperty Value

sawyerm@marketing.contoso.com

This example retrieves the authorization information and then filters to display only the Principal Name certificate values.

Example 5: Retrieve raw API response

Connect-Entra -Scopes 'User.Read.All'
Get-EntraUserCBAAuthorizationInfo -UserId 'SawyerM@contoso.com' -Raw

Name                           Value
----                           -----
userType                       Member
authorizationInfo              {[certificateUserIds, System.Object[]]}
id                             aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
@odata.context                 https://graph.microsoft.com/..
displayName                    Sawyer Miller
userPrincipalName              sawyerm@contoso.com

This command retrieves the raw, unprocessed authorization information directly from the API.

Example 6: Use the results with pipeline

Connect-Entra -Scopes 'User.Read.All'
Get-EntraUserCBAAuthorizationInfo -UserId 'SawyerM@contoso.com' |
    Select-Object UserPrincipalName, @{
        Name = 'CertificateTypes';
        Expression = { $_.AuthorizationInfo.CertificateUserIds.Type -join ", " }
    }

UserPrincipalName            CertificateTypes
-----------------            ----------------
sawyerm@marketing.contoso.com PN, S

This example retrieves the authorization information and creates a custom view showing the user principal name and certificate types.

Parameters

-Raw

Indicates that the cmdlet returns the raw API response without processing. Use this parameter when you want to see the complete, unmodified response from Microsoft Graph.

Parameter properties

Type:SwitchParameter
Default value:False
Supports wildcards:False
DontShow:False
Aliases:RawResponse

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-UserId

Specifies the identifier of the user. This can be either a User Principal Name (UPN, email address) or a GUID (user ID).

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:ObjectId, UPN, Identity, UserPrincipalName

Parameter sets

(All)
Position:0
Mandatory:True
Value from pipeline:True
Value from pipeline by property name:True
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

System.String

You can pipe a string that contains a user ID or UPN to this cmdlet.

Outputs

System.Management.Automation.PSObject

By default, the cmdlet returns a custom PSObject with the following properties:

Id: The unique identifier of the user DisplayName: The display name of the user UserPrincipalName: The user principal name (email address) of the user UserType: The type of user account (for example, "Member", "Guest") AuthorizationInfo: An object containing: CertificateUserIds: An array of parsed certificate user ID objects RawAuthorizationInfo: The original authorization info from the API.

Note: When the -Raw parameter is used, the cmdlet returns the raw API response as a PSObject.

Notes

Certificate user IDs are returned in the X509 format. The common types are:

PN: Principal Name S: Subject I: Issuer SR: Serial Number SKI: Subject Key Identifier SHA1-PUKEY: SHA1 Public Key