Question 282784 in Azure Question posted in
The official documentation to get you started can be found here.

Reading Azure directory roles (built in roles) via Graph API

Is there any way to see which Azure directory roles (built-in roles) a user is assigned to?

I need the information we get when we find the user and go to "Assigned Roles".
I’ve tried to find some commands in the Azure documentation however without success.

Thanks in advance

Tags:

2

Answers


  1. 0

    The easiest way to do this is using PowerShell and the Microsoft Graph PowerShell SDK. See the example below.

    
$tenant = "yourtenant.onmicrosoft.com";
$disconnectGraphAfterExecution = $true;


Connect-MgGraph -Scopes User.Read.All,RoleManagement.Read.All -TenantId $tenant -NoWelcome;


$portalUsers = Get-MgBetaUser -all -filter "creationType eq 'Invitation'";


foreach ($portalUser in $portalUsers) {
    $directoryRolesForUser = "";
    Get-MgBetaUserMemberOfAsDirectoryRole -UserId $user.Id | ForEach-Object { $directoryRolesForUser += $_.DisplayName + ", "; };

    $directoryRolesForUser = $string.TrimEnd(', ');

    $portalUsers | Add-Member "DirectoryRoles" $directoryRolesForUser -Force;
}

$portalUsers | Select-Object Id, DisplayName, mail, CreationType, ExternalUserState, DirectoryRoles | fl;

if ($disconnectGraphAfterExecution) { Disconnect-MgGraph; };
    Login or Signup to reply.
  2. 0

    First, we have graph API to list all the built-in roles. So that we could know it’s a directory object as well.

    GET https://graph.microsoft.com/v1.0/directoryRoles

    So we could search in the user methods and find that we have relationship MemberOf to give us the diretory objects the user belongs to.

    enter image description here

    Using API like below could give us the properties.

    Get
    https://graph.microsoft.com/v1.0/users/user_id?$expand=memberOf($select=displayName,id)

    enter image description here

    It proved that memberof is what we need to get, and we just need to add a filter to get all the directory roles. So here’s the API I found.

    https://graph.microsoft.com/v1.0/Users/user_id/memberOf/$/microsoft.graph.directoryRole

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search