List Microsoft Entra role assignments

This article describes how to list roles you have assigned in Microsoft Entra ID using the Microsoft Entra admin center, Microsoft Graph PowerShell, or Microsoft Graph API.

Role assignments contain information linking a given security principal (a user, group, or application service principal) to a role definition. Listing users, groups, and assigned roles are default user permissions.

Scopes

In Microsoft Entra ID, roles can be assigned at different scopes.

  • Role assignments at tenant scope are added to and can be seen in the list of single application role assignments.
  • Role assignments at the single application scope aren't added to and can't be seen in the list of tenant scoped assignments.

Prerequisites

For more information, see Prerequisites to use PowerShell or Graph Explorer.

List Microsoft Entra role assignments

Tip

Steps in this article might vary slightly based on the portal you start from.

List my role assignments

It's easy to list your own permissions as well. On the Roles and administrators page, select Your Role to see the roles that are currently assigned to you.

Screenshot of Roles and administrators page in Microsoft Entra admin center.

List role assignments for a user

Follow these steps to list Microsoft Entra roles for a user using the Microsoft Entra admin center. Your experience will be different depending on whether you have Microsoft Entra Privileged Identity Management (PIM) enabled.

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Identity > Users > All users.

  3. Select user name > Assigned roles.

    You can see the list of roles assigned to the user at different scopes. Additionally, you can see whether the role has been assigned directly or via a group.

    Screenshot of roles assigned to a user.

    If you have a Microsoft Entra ID P2 license, you'll see the PIM experience, which has eligible, active, and expired role assignment details.

    Screenshot of roles assigned to a user in PIM.

List role assignments for a group

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Identity > Groups > All groups.

  3. Select a role-assignable group.

    To determine if a group is role-assignable, you can view the Properties for the group.

  4. Select Assigned roles.

    You can now see all the Microsoft Entra roles assigned to this group. If you don't see the Assigned roles option, the group is not a role-assignable group.

    Screenshot of roles assigned to a group.

Download role assignments

To download all active role assignments across all roles, including built-in and custom roles, follow these steps.

Bulk operations can only run for up to 1 hour and has limitations in large tenants. For more information, see Bulk operations and Bulk create users in Microsoft Entra ID.

  1. On the Roles and administrators page, select All roles.

  2. Select Download assignments.

    Screenshot of pane to download all role assignments.

  3. Specify a file name and select Start download.

    A CSV file that lists assignments at all scopes for all roles is downloaded.

To download role assignments for a specific role, follow these steps.

  1. On the Roles and administrators page, select a role.

  2. Select Download assignments.

    If you have a Microsoft Entra ID P2 license, you'll see the PIM experience. Select Export to download the role assignments.

    A CSV file that lists assignments at all scopes for that role is downloaded.

List role assignments with tenant scope

This procedure describes how to list role assignments with tenant scope.

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Identity > Roles & admins > Roles & admins.

  3. Select a role name to open the role. Don't add a check mark next to the role.

    Screenshot of Roles and administrators page with mouse over role name.

  4. Select Assignments to list the role assignments.

    Screenshot that lists role assignments with tenant scope.

  5. In the Scope column, see the role assignments with Directory scope.

List role assignments with app registration scope

This section describes how to list role assignments with single-application scope.

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Identity > Applications > App registrations.

  3. Select an app registration for the list of role assignments you want to view.

    You might have to select All applications to see the complete list of app registrations in your Microsoft Entra organization.

  4. Select Roles and administrators.

  5. Select a role name to open the role.

  6. Select Assignments to list the role assignments.

    Opening the assignments page from within the app registration shows you the role assignments that are scoped to this Microsoft Entra resource.

    Screenshot that lists role assignments with application registration scope.

  7. In the Scope column, see the role assignments with This resource scope.

List role assignments with administrative unit scope

You can view all the role assignments created with an administrative unit scope in the Admin units section of the Microsoft Entra admin center.

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Identity > Roles & admins > Admin units.

  3. Select an administrative unit for the list of role assignments you want to view.

  4. Select Roles and administrators.

  5. Select a role name to open the role.

  6. Select Assignments to list the role assignments.

    Screenshot that lists role assignments with administrative unit scope.

  7. In the Scope column, see the role assignments with This resource scope.

Next steps