I am currently trying to get all the roles that can be associated to a given group in Azure AD. I have been successful so far using the Get-MgRoleManagementDirectoryRoleAssignment command. But the problem is that this command is only offering me the roles in the Active Assignments tab. Is there a way for me to be able to gather the values for the Eligible Assignments tab?
I have created an array populated by the groups I have, given them their names and the objectId, and then I am just running this foreach loop:
foreach($group in $groups){
$objectId= $group.ObjectId
$RoleAssignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "PrincipalId eq '$objectId'"
$allRoleAssignments= Get-MgRoleManagementDirectoryRoleAssignment
foreach($assignment in $RoleAssignments){
$roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $assignment.RoleDefinitionId
Write-Output "Group Name: $($group.Name), Assigned Role Name: $($roleDefinition.DisplayName)"
}
}
All of this is working fine, but it only gives me the values in the active roles section. I have also tried checking using the Graph API, also nothing relevant showed up so far. Thank you!
Initially, I created Security Group Group02
, and assigned Application Administrator as Eligible Assignment
role.
Note: For eligible assignment, roleEligibilityScheduleInstances
is used.
Use below graph query :
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleInstances?$filter=principalId eq '<GroupObjectId>'&$expand=roleDefinition
Use below Powershell Command :
Import-Module Microsoft.Graph.Identity.Governance
Get-MgRoleManagementDirectoryRoleEligibilityScheduleInstance -Filter "principalId eq '<group object id>'" -ExpandProperty "roleDefinition"
Reference: