List Microsoft Entra role definitions
A role definition is a collection of permissions that can be performed, such as read, write, and delete. It's typically just called a role. Microsoft Entra ID has over 60 built-in roles or you can create your own custom roles. If you ever wondered "What the do these roles really do?", you can see a detailed list of permissions for each of the roles.
This article describes how to list the Microsoft Entra built-in and custom roles along with their permissions.
Prerequisites
- Microsoft Graph PowerShell SDK installed when using PowerShell
- Admin consent when using Graph explorer for Microsoft Graph API
For more information, see Prerequisites to use PowerShell or Graph Explorer.
Microsoft Entra admin center
Tip
Steps in this article might vary slightly based on the portal you start from.
Sign in to the Microsoft Entra admin center.
Browse to Identity > Roles & admins > Roles & admins.
On the right, select the ellipsis and then Description to see the complete list of permissions for a role.
The page includes links to relevant documentation to help guide you through managing roles.
PowerShell
Follow these steps to list Microsoft Entra roles using PowerShell.
Open a PowerShell window. If necessary, use Install-Module to install Microsoft Graph PowerShell. For more information, see Prerequisites to use PowerShell or Graph Explorer.
Install-Module Microsoft.Graph -Scope CurrentUser
In a PowerShell window, use Connect-MgGraph to sign in to your tenant.
Connect-MgGraph -Scopes "RoleManagement.Read.All"
Use Get-MgRoleManagementDirectoryRoleDefinition to get all roles.
Get-MgRoleManagementDirectoryRoleDefinition
To view the list of permissions of a role, use the following cmdlet.
# Do this avoid truncation of the list of permissions $FormatEnumerationLimit = -1 (Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Conditional Access Administrator'").RolePermissions | Format-list
Microsoft Graph API
Follow these instructions to list Microsoft Entra roles using the Microsoft Graph API in Graph Explorer.
Sign in to the Graph Explorer.
Select GET as the HTTP method from the dropdown.
Select the API version to v1.0.
Add the following query to use the List unifiedRoleDefinitions API.
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions
Select Run query to list the roles.
To view permissions of a role, use the following API.
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter=DisplayName eq 'Conditional Access Administrator'&$select=rolePermissions