MgGraph Sdk Extract Role Admins from AzureAD

/ September 14, 2022

As everyone in Technical Community is aware that MSOnline and AzureAD modules will be depreciated.

We have started working on converting our automated solutions to use Microsoft Graph SDK.

This is one of the solutions that utilize MSOL where we have extracted AzureAD roles and their assignments.

Extract office 365 Role Admins | Tech Wizard

I will share the updated script of MgGraph in other blog post , This post is about how we can do the same thing with Microsoft graph SDK.

For MSOL module cmdlets for extracting the Role Admins are:

  • Get-MsolRole
  • Get-MsolRoleMember

To find out the equivalent in Graph SDK you can refer below Link:

Find Azure AD and MSOnline cmdlets in Microsoft Graph


Equivalent cmdlets in MgGraph are:

  • Get-MgDirectoryRole
  • Get-MgDirectoryRoleMember

Once you have connected to Graph and use Get-MgDirectoryRole, it does not fetch all the roles that you see in AzureAD whereas Get-MsolRole fetches all roles.


MSOL Roles Count


Graph Cmdlet Role Count


This is where we have found that we need to use another way to extract all roles and then loop thru them.

Get-MgDirectoryRoleTemplate is the Cmdlet that you need to use to get all the roles and then get the id by matching the Role Name.(Get-MgDirectoryRole)

Now utilize Get-MgDirectoryRoleMember to get the members inside that role.

Sample Code:


$collection = @()
$AllRoles =Get-MgDirectoryRoleTemplate
$AllRoles | ForEach-Object{
$adminroleid= $getroleadmins = $null
$rolName = $_.DisplayName
$rolobjid = $_.id
$description = $_.Description
Write-Log -Message "Extracting........$rolName" -path $log
$adminroleid = Get-MgDirectoryRole -Filter "DisplayName eq '$rolName'"
if($adminroleid.id){
$getroleadmins = Get-MgDirectoryRoleMember -DirectoryRoleId $adminroleid.id
}
if($getroleadmins){
$getroleadmins | ForEach-Object{
$mcoll = "" | select USerId, DisplayName, RoleName, RoleMemberType, Description
$uid = $getmguser = $null
$getmguser = Get-MgUser -UserId $_.Id -ea silentlycontinue
if($getmguser){
$uid = $getmguser.UserPrincipalName
$mcoll.USerId = $uid
$mcoll.DisplayName = $getmguser.DisplayName
$mcoll.RoleName = $rolName
$mcoll.RoleMemberType = "User"
$mcoll.description = $description
}
else{
$mgapp=$null
$mgapp = Get-MgServicePrincipal -ServicePrincipalId $_.Id -ea silentlycontinue
if($mgapp){
$mcoll.DisplayName = $mgapp.DisplayName
$mcoll.RoleName = $rolName
$mcoll.RoleMemberType = "ServicePrincipal"
$mcoll.description = $description
}
else{
$mggroup = $null
$mggroup = Get-MgGroup -GroupId $_.Id -ea silentlycontinue
$mcoll.DisplayName = $mggroup.DisplayName
$mcoll.RoleName = $rolName
$mcoll.RoleMemberType = "Group"
$mcoll.description = $description
}
}
$collection += $mcoll
}
}
}

 

If you are also in transition to MgGraph then this post will assist you in your journey of migration to MS Graph.

 

 

Thanks for reading…

Tech Wizard

https://techwizard.cloud

https://syscloudpro.com/

PowerShell Fast Track

 

Advertisement

Related posts

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s