Marcel
Marcel That's me: Marcel

Enumerating Azure AD administrative accounts with PowerShell

Enumerating Azure AD administrative accounts with PowerShell

Users can have different administrative roles in Azure Ad. Azure Portal can show these roles and members. Sometimes it can be favorable to get roles and members in a PowerShell object list.

To login into your Azure AD tenant use:

Connect-AzureAD -TenantId xxx

Where xxx is your tenant id. The -TenantId is optional. But if your account member of different Azure ADs you can select the right one.

After login in with your credential you can show the different roles with:

Get-AzureADDirectoryRole

Output:

img

Using PSCustomObject helps to build a list/array of custom objects to save all roles and users. The full code:


$roleUsers = @() 
$roles=Get-AzureADDirectoryRole

ForEach($role in $roles) {
  $users=Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
  ForEach($user in $users) {
    write-host $role.DisplayName,$user.DisplayName
    $obj = New-Object PSCustomObject
    $obj | Add-Member -type NoteProperty -name RoleName -value ""
    $obj | Add-Member -type NoteProperty -name UserDisplayName -value ""
    $obj | Add-Member -type NoteProperty -name IsAdSynced -value false
    $obj.RoleName=$role.DisplayName
    $obj.UserDisplayName=$user.DisplayName
    $obj.IsAdSynced=$user.DirSyncEnabled -eq $true
    $roleUsers+=$obj
  }
}
$roleUsers

Output:

img

Feel free to extend the custom object with other values form Azure AD user object.

First published on: https://www.sepago.de/blog/enumerating-azure-ad-administrative-accounts-with-powershell-2/