Get-EntraDirectoryRoleAssignment
Get a Microsoft Entra ID roleAssignment.
Syntax
Get-EntraDirectoryRoleAssignment
[-Top <Int32>]
[-All]
[-Filter <String>]
[-Property <String[]>]
[<CommonParameters>] Get-EntraDirectoryRoleAssignment
[-All]
[-Property <String[]>]
[<CommonParameters>] Get-EntraDirectoryRoleAssignment
-UnifiedRoleAssignmentId <String>
[-All]
[-Property <String[]>]
[<CommonParameters>] Description
The Get-EntraDirectoryRoleAssignment cmdlet gets information about role assignments in Microsoft Entra ID. To get a role assignment, specify the UnifiedRoleAssignmentId parameter. Specify the SearchString or Filter parameter to find a particular role assignment.
In delegated scenarios with work or school accounts, the signed-in user must have a supported Microsoft Entra role or a custom role with one of the following permissions:
- microsoft.directory/roleAssignments/standard/read (least privileged)
- microsoft.directory/roleAssignments/allProperties/read
- microsoft.directory/roleAssignments/allProperties/allTasks
The least privileged roles for this operation, from least to most privileged, are:
- Directory Readers
- Global Reader
- Privileged Role Administrator
Examples
Example 1: Get role assignments
Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All'
Get-EntraDirectoryRoleAssignment
Id PrincipalId RoleDefinitionId DirectoryScopeId AppScopeId
-- ----------- ---------------- ---------------- ----------
00001111-aaaa-2222-bbbb-3333cccc4444 aaaaaaaa-bbbb-cccc-1111-222222222222 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /
11112222-bbbb-3333-cccc-4444dddd5555 bbbbbbbb-cccc-dddd-2222-333333333333 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /
22223333-cccc-4444-dddd-5555eeee6666 cccccccc-dddd-eeee-3333-444444444444 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /
33334444-dddd-5555-eeee-6666ffff7777 dddddddd-eeee-ffff-4444-555555555555 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /
44445555-eeee-6666-ffff-7777aaaa8888 eeeeeeee-ffff-aaaa-5555-666666666666 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /This command gets the role assignments in Microsoft Entra ID.
Example 2: Get role assignments using 'All' parameter
Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All'
Get-EntraDirectoryRoleAssignment -All
Id PrincipalId RoleDefinitionId DirectoryScopeId AppScopeId
-- ----------- ---------------- ---------------- ----------
00001111-aaaa-2222-bbbb-3333cccc4444 aaaaaaaa-bbbb-cccc-1111-222222222222 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /
11112222-bbbb-3333-cccc-4444dddd5555 bbbbbbbb-cccc-dddd-2222-333333333333 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /
22223333-cccc-4444-dddd-5555eeee6666 cccccccc-dddd-eeee-3333-444444444444 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /
33334444-dddd-5555-eeee-6666ffff7777 dddddddd-eeee-ffff-4444-555555555555 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /
44445555-eeee-6666-ffff-7777aaaa8888 eeeeeeee-ffff-aaaa-5555-666666666666 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /This command gets all the role assignments in Microsoft Entra ID.
Example 3: Get role assignments by Id
Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All'
Get-EntraDirectoryRoleAssignment -UnifiedRoleAssignmentId '00001111-aaaa-2222-bbbb-3333cccc4444'
Id PrincipalId RoleDefinitionId DirectoryScopeId AppScopeId
-- ----------- ---------------- ---------------- ----------
00001111-aaaa-2222-bbbb-3333cccc4444 aaaaaaaa-bbbb-cccc-1111-222222222222 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /This command gets the role assignments using specified roleAssignment Id.
UnifiedRoleAssignmentIdparameter specifies the roleAssignment object ID.
Example 4: Get role assignments filter by principalId
Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All'
Get-EntraDirectoryRoleAssignment -Filter "principalId eq 'aaaaaaaa-bbbb-cccc-1111-222222222222'"
Id PrincipalId RoleDefinitionId DirectoryScopeId AppScopeId
-- ----------- ---------------- ---------------- ----------
00001111-aaaa-2222-bbbb-3333cccc4444 aaaaaaaa-bbbb-cccc-1111-222222222222 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /
11112222-bbbb-3333-cccc-4444dddd5555 aaaaaaaa-bbbb-cccc-1111-222222222222 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /This command gets the role assignments containing the specified principalId.
Example 5: Get role assignments filter by roleDefinitionId
Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All'
Get-EntraDirectoryRoleAssignment -Filter "roleDefinitionId eq 'a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1'"
Id PrincipalId RoleDefinitionId DirectoryScopeId AppScopeId
-- ----------- ---------------- ---------------- ----------
00001111-aaaa-2222-bbbb-3333cccc4444 aaaaaaaa-bbbb-cccc-1111-222222222222 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /
11112222-bbbb-3333-cccc-4444dddd5555 bbbbbbbb-cccc-dddd-2222-333333333333 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /
22223333-cccc-4444-dddd-5555eeee6666 cccccccc-dddd-eeee-3333-444444444444 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /
33334444-dddd-5555-eeee-6666ffff7777 dddddddd-eeee-ffff-4444-555555555555 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /
44445555-eeee-6666-ffff-7777aaaa8888 eeeeeeee-ffff-aaaa-5555-666666666666 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /This command gets the role assignments containing the specified roleDefinitionId.
Example 6: Get top two role assignments
Connect-Entra -Scopes 'RoleManagement.Read.Directory','EntitlementManagement.Read.All'
Get-EntraDirectoryRoleAssignment -Top 2
Id PrincipalId RoleDefinitionId DirectoryScopeId AppScopeId
-- ----------- ---------------- ---------------- ----------
00001111-aaaa-2222-bbbb-3333cccc4444 aaaaaaaa-bbbb-cccc-1111-222222222222 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /
11112222-bbbb-3333-cccc-4444dddd5555 bbbbbbbb-cccc-dddd-2222-333333333333 a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 /This command gets top two role assignments.
Parameters
-All
List all pages.
| Type: | System.Management.Automation.SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Filter
The OData v4.0 filter statement. Controls which objects are returned.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Property
Specifies properties to be returned
| Type: | System.String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Top
The maximum number of records to return.
| Type: | System.Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-UnifiedRoleAssignmentId
The unique identifier of a Microsoft Entra ID roleAssignment object.
| Type: | System.String |
| Aliases: | Id |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Outputs
Microsoft.Open.MSGraph.Model.DirectoryRoleAssignment
Notes
Get-EntraRoleAssignment is an alias for Get-EntraDirectoryRoleAssignment.