Listen to this Post
To find all privileged admins in Entra ID (formerly Azure AD), you can use Microsoft Graph API with PowerShell. Here’s the command:
Invoke-MgGraphRequest -Uri "/beta/roleManagement/directory/roleAssignments?<code>$expand=roleDefinition&</code>$filter=roleDefinition/isPrivileged eq true"
Prerequisites:
1. Required Permissions:
– `RoleManagement.Read.Directory` (for roles assigned via Entra ID)
– `EntitlementManagement.Read.All` (for PIM-assigned roles)
– Global Admin consent for the app scopes.
2. Microsoft Graph PowerShell Module:
Install it using:
Install-Module Microsoft.Graph -Force
3. Authenticate to Microsoft Graph:
Connect-MgGraph -Scopes "RoleManagement.Read.Directory, EntitlementManagement.Read.All"
You Should Know:
- Extracting Privileged Role Assignments via Microsoft Graph Explorer
If you prefer a GUI-based approach, use Microsoft Graph Explorer:- Authenticate with a privileged account.
- Run the same query:
GET /beta/roleManagement/directory/roleAssignments?$expand=roleDefinition&$filter=roleDefinition/isPrivileged eq true
2. Exporting Results to CSV
To save the output for auditing:
$admins = Invoke-MgGraphRequest -Uri "/beta/roleManagement/directory/roleAssignments?<code>$expand=roleDefinition&</code>$filter=roleDefinition/isPrivileged eq true" $admins.value | Export-Csv -Path "PrivilegedAdmins.csv" -NoTypeInformation
3. Checking PIM (Privileged Identity Management) Roles
For PIM-activated roles, use:
Invoke-MgGraphRequest -Uri "/beta/roleManagement/directory/eligibleRoleAssignments"
4. Automating with a PowerShell Script
Here’s a full script to fetch and log privileged admins:
Connect to Microsoft Graph
Connect-MgGraph -Scopes "RoleManagement.Read.Directory, EntitlementManagement.Read.All"
Fetch privileged role assignments
$privilegedAdmins = Invoke-MgGraphRequest -Uri "/beta/roleManagement/directory/roleAssignments?<code>$expand=roleDefinition&</code>$filter=roleDefinition/isPrivileged eq true"
Output results
$privilegedAdmins.value | ForEach-Object {
Write-Output "User: $($<em>.principalDisplayName) - Role: $($</em>.roleDefinition.displayName)"
}
Export to CSV
$privilegedAdmins.value | Export-Csv -Path "PrivilegedAdmins_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Disconnect
Disconnect-MgGraph
5. Linux Equivalent (Using Azure CLI)
If you’re on Linux, use Azure CLI:
az rest --method GET --url 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments?$expand=roleDefinition&$filter=roleDefinition/isPrivileged eq true' --headers "Authorization=Bearer $(az account get-access-token --query accessToken -o tsv)"
What Undercode Say:
Querying privileged roles is critical for security audits and compliance. Automation via PowerShell or Azure CLI ensures continuous monitoring. Always restrict access to these queries to authorized personnel only.
Expected Output:
A structured CSV or on-screen list of privileged admins, including:
– User Principal Name
– Role Name
– Assignment Type (Permanent/PIM)
Prediction:
As cloud identity management evolves, expect stricter role querying permissions and more granular PIM controls to prevent over-privileged access.
Relevant Links:
References:
Reported By: Nathanmcnulty Im – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
