Entra ID Admin Roles Report

Every administrator knows the problem of managing roles and permissions. It’s often a struggle to get a good overview of who has access to what, and reviewing this periodically can be a real headache. I’ve encountered this issue multiple times, and it often leads to messy spreadsheets with countless lines of information.

I developed a solution. I aimed for a responsive overview with easy filtering, viewing, and clear indicators to highlight any anomalies.

• Microsoft.Graph.Authentication module: This module is required for authenticating with the Microsoft Graph API.
• Permissions: The script requires the following Microsoft Graph API permissions:
  • Directory.Read.All
  • PrivilegedEligibilitySchedule.Read.AzureADGroup
  • RoleManagement.Read.Directory (if including privileged assignments)
  • AuditLog.Read.All (NEW – Required for PIM Audit Logs)

• Comprehensive Role Assignment Overview: See all role assignments in one place, clearly showing who has which permissions.
• Detailed Reporting: The script provides detailed reports on users, groups, and service principals and their assigned roles.
• Privileged Identity Management (PIM) Support: If enabled, the script can collect information about PIM eligible role assignments.
• Security Group Expansion: The script shows the members of security groups that are assigned to roles.
• Administrative Unit Support: The script identifies the Administrative Units that roles are assigned to.
• Multiple Report Outputs: The script generates an HTML report, with different sections.
• PIM Audit Logs: Provides a section in the report to view and filter PIM audit logs.
• Mail functionality: Reports can now be emailed using the same parameters: -SendMail, -Recipient, and -From.

This script is available in the Powershell Gallery. You can install it by the following line.
https://www.powershellgallery.com/packages/Generate-EntraAdminRolesReport/

Install-Script Generate-EntraAdminRolesReport -Force

This is the simplest way to run the script. It will prompt you to log in with your Entra ID credentials.

Generate-EntraAdminRolesReport.ps1

This method is useful for automation scenarios. You’ll need to create an Entra ID application and grant it the required permissions.

Generate-EntraAdminRolesReport.ps1 -TenantId "your-tenant-id" -ClientId "your-client-id" -ClientSecret "your-client-secret"

This method is also suitable for automation and is more secure than using a client secret. You’ll need to create an Entra ID application, upload a certificate, and provide the certificate thumbprint.

Generate-EntraAdminRolesReport.ps1 -TenantId "your-tenant-id" -ClientId "your-client-id" -CertificateThumbprint "your-certificateThumbprint"

Accepts a pre-acquired access token for authentication. Useful when you’ve already obtained a token through another process or when integrating with existing authentication workflows. Provides flexibility but requires separate token management.

Generate-EntraAdminRolesReport.ps1 -Identity "ManagedIdentity"

Uses Azure’s managed identities to authenticate without storing credentials. Ideal for scripts running in Azure environments (VMs, Functions, Automation). The most secure option as it eliminates credential management entirely.

Generate-EntraAdminRolesReport.ps1 -Accesstoken "AccessToken"

This makes it easy to email reports automatically after generation.

Generate-EntraAdminRolesReport.ps1 -SendEmail -Recipient "Recipient" -From "Sender"

Hopefully, this script will make it easier for you to get an overview of assigned roles. It’s designed to simplify what has traditionally been a complex and time-consuming task for administrators. The script provides a clear, interactive report, allowing you to quickly see who has access to what within your Microsoft 365 environment.

If you encounter any bugs or have ideas for improvements, please let me know. I’m actively maintaining this tool and welcome your feedback to make it even better.