Functions/Get-IntuneAdminRoleReport.ps1
|
function Get-IntuneAdminRoleReport { <# .SYNOPSIS Generates a report of custom admin roles, role assignments, and scope tags. .DESCRIPTION Retrieves all role definitions, role assignments, and scope tags from Intune, and correlates them to show relationships between roles, assignments, and scope tags. .EXAMPLE Get-IntuneAdminRoleReport #> [CmdletBinding()] param() # Check if connected to Microsoft Graph if (-not (Get-MgContext -ErrorAction SilentlyContinue)) { Write-Error "You must run Connect-IntuneGraph before calling this function." return } Write-Verbose "Fetching role definitions..." try { $roleDefinitions = Get-MgBetaDeviceManagementRoleDefinition } catch { Write-Error "Error fetching role definitions: $_" return } Write-Verbose "Fetching role assignments..." try { $roleAssignments = MgBetaDeviceManagementRoleAssignment } catch { Write-Error "Error fetching role assignments: $_" return } Write-Verbose "Fetching scope tags..." try { $scopeTags = Get-MgBetaDeviceManagementRoleScopeTag } catch { Write-Error "Error fetching scope tags: $_" return } $report = foreach ($assignment in $roleAssignments) { $role = $roleDefinitions | Where-Object { $_.id -eq $assignment.roleDefinitionId } $tagNames = @() if ($assignment.roleScopeTagIds) { foreach ($tagId in $assignment.roleScopeTagIds) { $tag = $scopeTags | Where-Object { $_.id -eq $tagId } $tagNames += if ($tag) { $tag.displayName } else { $tagId } } } [PSCustomObject]@{ RoleAssignmentId = $assignment.id PrincipalId = $assignment.principalId RoleName = if ($role) { $role.displayName } else { "Unknown" } ResourceScopes = if ($assignment.resourceScopes) { ($assignment.resourceScopes -join ", ") } else { "" } ScopeTags = if ($tagNames) { $tagNames -join ", " } else { "None" } } } return $report } |