My goal is to compare the different roles/permissions as it pertains to user memberships for our Azure/M365 environment. This would include Azure / EOL / Defender and if possible, at the subscriptions as well. Not sure if I have missed any places for Tenant/Service level permissions, if I have I would want those as well...
I have just started this process and have not been able to locate any comprehensive solution.
To list all the Subscription Roles, use below command:
Connect-AzAccount
Get-AzRoleDefinition | FT Name, Description
To get Subscription Roles and Members, use the below script:
Connect-AzAccount
$roleAssignments = Get-AzRoleAssignment | Select-Object DisplayName, RoleDefinitionName, PrincipalName, Scope
$roleAssignments | Format-Table -AutoSize
To list Directory roles, make use of below command:
Connect-MgGraph
$directoryRoles = Get-MgDirectoryRole
$directoryRoles | Select-Object DisplayName, Description
To fetch Azure/Directory Roles and Members, use the below script:
Connect-MgGraph
$roles = Get-MgDirectoryRole
foreach ($role in $roles) {
$roleName = $role.DisplayName
$members = Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id
$members | ForEach-Object {
$member = Get-MgUser -UserId $_.Id
[PSCustomObject]@{
DisplayName = $member.DisplayName
UserPrincipalName = $member.UserPrincipalName
Role = $roleName
}
} | Format-Table -AutoSize }
To fetch Exchange Online Roles, use the below command:
Connect-ExchangeOnline
$exchangeRoles = Get-ManagementRoleAssignment
$exchangeRoles
References:
Get-ManagementRole (ExchangePowerShell) | Microsoft
Get-ManagementRoleAssignment (ExchangePowerShell) | Microsoft