Enumerating Azure AD administrative accounts with PowerShell
Users can have different administrative roles in Azure Ad. Azure Portal can show these roles and members. Sometimes it can be favorable to get roles and members in a PowerShell object list.
To login into your Azure AD tenant use:
Connect-AzureAD -TenantId xxx
Where xxx is your tenant id. The -TenantId is optional. But if your account member of different Azure ADs you can select the right one.
After login in with your credential you can show the different roles with:
Get-AzureADDirectoryRole
Output:
Using PSCustomObject helps to build a list/array of custom objects to save all roles and users. The full code:
$roleUsers = @()
$roles=Get-AzureADDirectoryRole
ForEach($role in $roles) {
$users=Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
ForEach($user in $users) {
write-host $role.DisplayName,$user.DisplayName
$obj = New-Object PSCustomObject
$obj | Add-Member -type NoteProperty -name RoleName -value ""
$obj | Add-Member -type NoteProperty -name UserDisplayName -value ""
$obj | Add-Member -type NoteProperty -name IsAdSynced -value false
$obj.RoleName=$role.DisplayName
$obj.UserDisplayName=$user.DisplayName
$obj.IsAdSynced=$user.DirSyncEnabled -eq $true
$roleUsers+=$obj
}
}
$roleUsers
Output:
Feel free to extend the custom object with other values form Azure AD user object.
First published on: https://www.sepago.de/blog/enumerating-azure-ad-administrative-accounts-with-powershell-2/