List Microsoft Entra role definitions

A role definition is a collection of permissions that can be performed, such as read, write, and delete. It's typically just called a role. Microsoft Entra ID has over 60 built-in roles or you can create your own custom roles. If you ever wondered "What the do these roles really do?", you can see a detailed list of permissions for each of the roles.

This article describes how to list the Microsoft Entra built-in and custom roles along with their permissions.

Prerequisites

  • Microsoft Graph PowerShell SDK installed when using PowerShell
  • Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Microsoft Entra admin center

Tip

Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Identity > Roles & admins > Roles & admins.

    list of roles in Azure portal

  3. On the right, select the ellipsis and then Description to see the complete list of permissions for a role.

    The page includes links to relevant documentation to help guide you through managing roles.

    Screenshot that shows the "Conditional Access Administrator - Description" page.

PowerShell

Follow these steps to list Microsoft Entra roles using PowerShell.

  1. Open a PowerShell window. If necessary, use Install-Module to install Microsoft Graph PowerShell. For more information, see Prerequisites to use PowerShell or Graph Explorer.

    Install-Module Microsoft.Graph -Scope CurrentUser
    
  2. In a PowerShell window, use Connect-MgGraph to sign in to your tenant.

    Connect-MgGraph -Scopes "RoleManagement.Read.All"
    
  3. Use Get-MgRoleManagementDirectoryRoleDefinition to get all roles.

    Get-MgRoleManagementDirectoryRoleDefinition
    
  4. To view the list of permissions of a role, use the following cmdlet.

    # Do this avoid truncation of the list of permissions
    $FormatEnumerationLimit = -1
    
    (Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Conditional Access Administrator'").RolePermissions | Format-list
    

Microsoft Graph API

Follow these instructions to list Microsoft Entra roles using the Microsoft Graph API in Graph Explorer.

  1. Sign in to the Graph Explorer.

  2. Select GET as the HTTP method from the dropdown.

  3. Select the API version to v1.0.

  4. Add the following query to use the List unifiedRoleDefinitions API.

    GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions
    
  5. Select Run query to list the roles.

  6. To view permissions of a role, use the following API.

    GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter=DisplayName eq 'Conditional Access Administrator'&$select=rolePermissions
    

Next steps