Get-EntraScopedRoleMembership

List Microsoft Entra role assignments with administrative unit scope.

Syntax

Get-EntraScopedRoleMembership
   -AdministrativeUnitId <String>
   [-ScopedRoleMembershipId <String>]
   [-Property <String[]>]
   [<CommonParameters>]

Description

The Get-EntraScopedRoleMembership cmdlet lists Microsoft Entra role assignments with an administrative unit scope. Use the ObjectId parameter to retrieve a specific scoped role membership.

Examples

Example 1: Get Scoped Role Administrator

Connect-Entra -Scopes 'RoleManagement.Read.Directory'
$role = Get-EntraDirectoryRole -Filter "DisplayName eq 'Helpdesk Administrator'" 
$administrativeUnit = Get-EntraAdministrativeUnit -Filter "DisplayName eq 'Pacific Administrative Unit'"
$roleMembership = Get-EntraScopedRoleMembership -AdministrativeUnitId $administrativeUnit.Id | Where-Object {$_.RoleId -eq $role.Id}
Get-EntraScopedRoleMembership -AdministrativeUnitId $administrativeUnit.Id -ScopedRoleMembershipId $roleMembership.Id

Id                                                                AdministrativeUnitId                 RoleId
--                                                                --------------------                 ------
dddddddddddd-bbbb-aaaa-bbbb-cccccccccccc aaaaaaaa-bbbb-aaaa-bbbb-cccccccccccc bbbbbbbb-1111-2222-3333-cccccccccccc

This example gets scoped role administrator. You cane use the command Get-EntraAdministrativeUnit to get administrative unit Id.

  • -AdministrativeUnitId parameter specifies the ID of an administrative unit.
  • -ScopedRoleMembershipId parameter specifies the scoped role membership Id.

Example 2: List scoped administrators for administrative unit by ObjectId

Connect-Entra -Scopes 'RoleManagement.Read.Directory'
$administrativeUnit = Get-EntraAdministrativeUnit -Filter "DisplayName eq 'Pacific Administrative Unit'"
Get-EntraScopedRoleMembership -AdministrativeUnitId $administrativeUnit.Id

Id                                                                AdministrativeUnitId                 RoleId
--                                                                --------------------                 ------
dddddddddddd-bbbb-aaaa-bbbb-cccccccccccc aaaaaaaa-bbbb-aaaa-bbbb-cccccccccccc bbbbbbbb-1111-2222-3333-cccccccccccc

This example list scoped administrators with objectId.

  • -AdministrativeUnitId parameter specifies the ID of an administrative unit.

Parameters

-AdministrativeUnitId

Specifies the ID of an administrative unit object.

Type:System.String
Aliases:ObjectId
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Property

Specifies properties to be returned.

Type:System.String[]
Aliases:Select
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ScopedRoleMembershipId

Specifies the ID of a scoped role membership.

Type:System.String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False