internal/Get-MtRoleInfo.ps1
|
class MtRoleDefinition { [string]$Id [bool]$IsPrivileged MtRoleDefinition([string]$id, [bool]$isPrivileged) { $this.Id = $id $this.IsPrivileged = $isPrivileged } [string] ToString() { return $this.Id } } # Module-scoped hashtable of all Entra ID built-in role definitions. # Auto-generated by build/Update-MtRoleDefinitions.ps1 from the Microsoft Entra # built-in roles permissions reference (public, no auth required). # To update, run: build/Update-MtRoleDefinitions.ps1 $script:MtRoles = @{ # BEGIN AUTO-GENERATED ROLE DEFINITIONS 'AgentIDAdministrator' = [MtRoleDefinition]::new('db506228-d27e-4b7d-95e5-295956d6615f', $true) 'AgentIDDeveloper' = [MtRoleDefinition]::new('adb2368d-a9be-41b5-8667-d96778e081b0', $false) 'AgentRegistryAdministrator' = [MtRoleDefinition]::new('6b942400-691f-4bf0-9d12-d8a254a2baf5', $false) 'AIAdministrator' = [MtRoleDefinition]::new('d2562ede-74db-457e-a7b6-544e236ebb61', $true) 'ApplicationAdministrator' = [MtRoleDefinition]::new('9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', $true) 'ApplicationDeveloper' = [MtRoleDefinition]::new('cf1c38e5-3621-4004-a7cb-879624dced7c', $true) 'AttackPayloadAuthor' = [MtRoleDefinition]::new('9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f', $false) 'AttackSimulationAdministrator' = [MtRoleDefinition]::new('c430b396-e693-46cc-96f3-db01bf8bb62a', $false) 'AttributeAssignmentAdministrator' = [MtRoleDefinition]::new('58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d', $false) 'AttributeAssignmentReader' = [MtRoleDefinition]::new('ffd52fa5-98dc-465c-991d-fc073eb59f8f', $false) 'AttributeDefinitionAdministrator' = [MtRoleDefinition]::new('8424c6f0-a189-499e-bbd0-26c1753c96d4', $false) 'AttributeDefinitionReader' = [MtRoleDefinition]::new('1d336d2c-4ae8-42ef-9711-b3604ce3fc2c', $false) 'AttributeLogAdministrator' = [MtRoleDefinition]::new('5b784334-f94b-471a-a387-e7219fc49ca2', $false) 'AttributeLogReader' = [MtRoleDefinition]::new('9c99539d-8186-4804-835f-fd51ef9e2dcd', $false) 'AttributeProvisioningAdministrator' = [MtRoleDefinition]::new('ecb2c6bf-0ab6-418e-bd87-7986f8d63bbe', $true) 'AttributeProvisioningReader' = [MtRoleDefinition]::new('422218e4-db15-4ef9-bbe0-8afb41546d79', $true) 'AuthenticationAdministrator' = [MtRoleDefinition]::new('c4e39bd9-1100-46d3-8c65-fb160da0071f', $true) 'AuthenticationExtensibilityAdministrator' = [MtRoleDefinition]::new('25a516ed-2fa0-40ea-a2d0-12923a21473a', $true) 'AuthenticationExtensibilityPasswordAdministrator' = [MtRoleDefinition]::new('0b00bede-4072-4d22-b441-e7df02a1ef63', $true) 'AuthenticationPolicyAdministrator' = [MtRoleDefinition]::new('0526716b-113d-4c15-b2c8-68e3c22b9f80', $false) 'AzureDevOpsAdministrator' = [MtRoleDefinition]::new('e3973bdf-4987-49ae-837a-ba8e231c7286', $false) 'AzureInformationProtectionAdministrator' = [MtRoleDefinition]::new('7495fdc4-34c4-4d15-a289-98788ce399fd', $false) 'B2CIEFKeysetAdministrator' = [MtRoleDefinition]::new('aaf43236-0c0d-4d5f-883a-6955382ac081', $true) 'B2CIEFPolicyAdministrator' = [MtRoleDefinition]::new('3edaf663-341e-4475-9f94-5c398ef6c070', $false) 'BillingAdministrator' = [MtRoleDefinition]::new('b0f54661-2d74-4c50-afa3-1ec803f12efe', $false) 'CloudApplicationAdministrator' = [MtRoleDefinition]::new('158c047a-c907-4556-b7ef-446551a6b5f7', $true) 'CloudAppSecurityAdministrator' = [MtRoleDefinition]::new('892c5842-a9a6-463a-8041-72aa08ca3cf6', $false) 'CloudDeviceAdministrator' = [MtRoleDefinition]::new('7698a772-787b-4ac8-901f-60d6b08affd2', $true) 'ComplianceAdministrator' = [MtRoleDefinition]::new('17315797-102d-40b4-93e0-432062caca18', $false) 'ComplianceDataAdministrator' = [MtRoleDefinition]::new('e6d1a23a-da11-4be4-9570-befc86d067a7', $false) 'ConditionalAccessAdministrator' = [MtRoleDefinition]::new('b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', $true) 'CustomerLockboxAccessApprover' = [MtRoleDefinition]::new('5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91', $false) 'DesktopAnalyticsAdministrator' = [MtRoleDefinition]::new('38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4', $false) 'DeviceJoin' = [MtRoleDefinition]::new('9c094953-4995-41c8-84c8-3ebb9b32c93f', $false) 'DeviceManagers' = [MtRoleDefinition]::new('2b499bcd-da44-4968-8aec-78e1674fa64d', $false) 'DeviceUsers' = [MtRoleDefinition]::new('d405c6df-0af8-4e3b-95e4-4d06e542189e', $false) 'DirectoryReaders' = [MtRoleDefinition]::new('88d8e3e3-8f55-4a1e-953a-9b9898b8876b', $false) 'DirectorySynchronizationAccounts' = [MtRoleDefinition]::new('d29b2b05-8046-44ba-8758-1e26182fcf32', $false) 'DirectoryWriters' = [MtRoleDefinition]::new('9360feb5-f418-4baa-8175-e2a00bac4301', $true) 'DomainNameAdministrator' = [MtRoleDefinition]::new('8329153b-31d0-4727-b945-745eb3bc5f31', $true) 'DragonAdministrator' = [MtRoleDefinition]::new('e93e3737-fa85-474a-aee4-7d3fb86510f3', $false) 'Dynamics365Administrator' = [MtRoleDefinition]::new('44367163-eba1-44c3-98af-f5787879f96a', $false) 'Dynamics365BusinessCentralAdministrator' = [MtRoleDefinition]::new('963797fb-eb3b-4cde-8ce3-5878b3f32a3f', $false) 'EdgeAdministrator' = [MtRoleDefinition]::new('3f1acade-1e04-4fbc-9b69-f0302cd84aef', $false) 'EntraBackupAdministrator' = [MtRoleDefinition]::new('b6a27b2b-f905-4b2e-81b5-0d90e0ef1fdb', $false) 'EntraBackupReader' = [MtRoleDefinition]::new('f42252d9-5400-4d7b-b9ef-cc582dbb8577', $false) 'ExchangeAdministrator' = [MtRoleDefinition]::new('29232cdf-9323-42fd-ade2-1d097af3e4de', $false) 'ExchangeBackupAdministrator' = [MtRoleDefinition]::new('49eb8f75-97e9-4e37-9b2b-6c3ebfcffa31', $false) 'ExchangeRecipientAdministrator' = [MtRoleDefinition]::new('31392ffb-586c-42d1-9346-e59415a2cc4e', $false) 'ExtendedDirectoryUserAdministrator' = [MtRoleDefinition]::new('dd13091a-6207-4fc0-82ba-3641e056ab95', $false) 'ExternalIdentityProviderAdministrator' = [MtRoleDefinition]::new('be2f45a1-457d-42af-a067-6ec1fa63bc45', $true) 'ExternalIDUserFlowAdministrator' = [MtRoleDefinition]::new('6e591065-9bad-43ed-90f3-e9424366d2f0', $false) 'ExternalIDUserFlowAttributeAdministrator' = [MtRoleDefinition]::new('0f971eea-41eb-4569-a71e-57bb8a3eff1e', $false) 'FabricAdministrator' = [MtRoleDefinition]::new('a9ea8996-122f-4c74-9520-8edcd192826c', $false) 'GlobalAdministrator' = [MtRoleDefinition]::new('62e90394-69f5-4237-9190-012177145e10', $true) 'GlobalReader' = [MtRoleDefinition]::new('f2ef992c-3afb-46b9-b7cf-a126ee74c451', $true) 'GlobalSecureAccessAdministrator' = [MtRoleDefinition]::new('ac434307-12b9-4fa1-a708-88bf58caabc1', $false) 'GlobalSecureAccessLogReader' = [MtRoleDefinition]::new('843318fb-79a6-4168-9e6f-aa9a07481cc4', $false) 'GroupsAdministrator' = [MtRoleDefinition]::new('fdd7a751-b60b-444a-984c-02652fe8fa1c', $false) 'GuestInviter' = [MtRoleDefinition]::new('95e79109-95c0-4d8e-aee3-d01accf2d47b', $false) 'GuestUser' = [MtRoleDefinition]::new('10dae51f-b6af-4016-8d66-8c2a99b929b3', $false) 'HelpdeskAdministrator' = [MtRoleDefinition]::new('729827e3-9c14-49f7-bb1b-9608f156bbb8', $true) 'HybridIdentityAdministrator' = [MtRoleDefinition]::new('8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2', $true) 'IdentityGovernanceAdministrator' = [MtRoleDefinition]::new('45d8d3c5-c802-45c6-b32a-1d70b5e1e86e', $false) 'InsightsAdministrator' = [MtRoleDefinition]::new('eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c', $false) 'InsightsAnalyst' = [MtRoleDefinition]::new('25df335f-86eb-4119-b717-0ff02de207e9', $false) 'InsightsBusinessLeader' = [MtRoleDefinition]::new('31e939ad-9672-4796-9c2e-873181342d2d', $false) 'IntuneAdministrator' = [MtRoleDefinition]::new('3a2c62db-5318-420d-8d74-23affee5d9d5', $true) 'IoTDeviceAdministrator' = [MtRoleDefinition]::new('2ea5ce4c-b2d8-4668-bd81-3680bd2d227a', $false) 'KaizalaAdministrator' = [MtRoleDefinition]::new('74ef975b-6605-40af-a5d2-b9539d836353', $false) 'KnowledgeAdministrator' = [MtRoleDefinition]::new('b5a8dcf3-09d5-43a9-a639-8e29ef291470', $false) 'KnowledgeManager' = [MtRoleDefinition]::new('744ec460-397e-42ad-a462-8b3f9747a02c', $false) 'LicenseAdministrator' = [MtRoleDefinition]::new('4d6ac14f-3453-41d0-bef9-a3e0c569773a', $false) 'LifecycleWorkflowsAdministrator' = [MtRoleDefinition]::new('59d46f88-662b-457b-bceb-5c3809e5908f', $true) 'MessageCenterPrivacyReader' = [MtRoleDefinition]::new('ac16e43d-7b2d-40e0-ac05-243ff356ab5b', $false) 'MessageCenterReader' = [MtRoleDefinition]::new('790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b', $false) 'Microsoft365BackupAdministrator' = [MtRoleDefinition]::new('1707125e-0aa2-4d4d-8655-a7c786c76a25', $false) 'Microsoft365MigrationAdministrator' = [MtRoleDefinition]::new('8c8b803f-96e1-4129-9349-20738d9f9652', $false) 'MicrosoftEntraJoinedDeviceLocalAdministrator' = [MtRoleDefinition]::new('9f06204d-73c1-4d4c-880a-6edb90606fd8', $false) 'MicrosoftGraphDataConnectAdministrator' = [MtRoleDefinition]::new('ee67aa9c-e510-4759-b906-227085a7fd4d', $false) 'MicrosoftHardwareWarrantyAdministrator' = [MtRoleDefinition]::new('1501b917-7653-4ff9-a4b5-203eaf33784f', $false) 'MicrosoftHardwareWarrantySpecialist' = [MtRoleDefinition]::new('281fe777-fb20-4fbb-b7a3-ccebce5b0d96', $false) 'NetworkAdministrator' = [MtRoleDefinition]::new('d37c8bed-0711-4417-ba38-b4abe66ce4c2', $false) 'OfficeAppsAdministrator' = [MtRoleDefinition]::new('2b745bdf-0803-4d80-aa65-822c4493daac', $false) 'OnPremisesDirectorySyncAccount' = [MtRoleDefinition]::new('a92aed5d-d78a-4d16-b381-09adb37eb3b0', $false) 'OrganizationalBrandingAdministrator' = [MtRoleDefinition]::new('92ed04bf-c94a-4b82-9729-b799a7a4c178', $false) 'OrganizationalDataSourceAdministrator' = [MtRoleDefinition]::new('9d70768a-0cbc-4b4c-aea3-2e124b2477f4', $false) 'OrganizationalMessagesApprover' = [MtRoleDefinition]::new('e48398e2-f4bb-4074-8f31-4586725e205b', $false) 'OrganizationalMessagesWriter' = [MtRoleDefinition]::new('507f53e4-4e52-4077-abd3-d2e1558b6ea2', $false) 'PartnerTier1Support' = [MtRoleDefinition]::new('4ba39ca4-527c-499a-b93d-d9b492c50246', $true) 'PartnerTier2Support' = [MtRoleDefinition]::new('e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8', $true) 'PasswordAdministrator' = [MtRoleDefinition]::new('966707d0-3269-4727-9be2-8c3a10f19b9d', $true) 'PeopleAdministrator' = [MtRoleDefinition]::new('024906de-61e5-49c8-8572-40335f1e0e10', $false) 'PermissionsManagementAdministrator' = [MtRoleDefinition]::new('af78dc32-cf4d-46f9-ba4e-4428526346b5', $false) 'PlacesAdministrator' = [MtRoleDefinition]::new('78b0ccd1-afc2-4f92-9116-b41aedd09592', $false) 'PowerPlatformAdministrator' = [MtRoleDefinition]::new('11648597-926c-4cf3-9c36-bcebb0ba8dcc', $false) 'PrinterAdministrator' = [MtRoleDefinition]::new('644ef478-e28f-4e28-b9dc-3fdde9aa0b1f', $false) 'PrinterTechnician' = [MtRoleDefinition]::new('e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477', $false) 'PrivilegedAuthenticationAdministrator' = [MtRoleDefinition]::new('7be44c8a-adaf-4e2a-84d6-ab2649e08a13', $true) 'PrivilegedRoleAdministrator' = [MtRoleDefinition]::new('e8611ab8-c189-46e8-94e1-60213ab1f814', $true) 'ReportsReader' = [MtRoleDefinition]::new('4a5d8f65-41da-4de4-8968-e035b65339cf', $false) 'RestrictedGuestUser' = [MtRoleDefinition]::new('2af84b1e-32c8-42b7-82bc-daa82404023b', $false) 'SearchAdministrator' = [MtRoleDefinition]::new('0964bb5e-9bdb-4d7b-ac29-58e794862a40', $false) 'SearchEditor' = [MtRoleDefinition]::new('8835291a-918c-4fd7-a9ce-faa49f0cf7d9', $false) 'SecurityAdministrator' = [MtRoleDefinition]::new('194ae4cb-b126-40b2-bd5b-6091b380977d', $true) 'SecurityOperator' = [MtRoleDefinition]::new('5f2222b1-57c3-48ba-8ad5-d4759f1fde6f', $true) 'SecurityReader' = [MtRoleDefinition]::new('5d6b6bb7-de71-4623-b4af-96380a352509', $true) 'ServiceSupportAdministrator' = [MtRoleDefinition]::new('f023fd81-a637-4b56-95fd-791ac0226033', $false) 'SharePointAdministrator' = [MtRoleDefinition]::new('f28a1f50-f6e7-4571-818b-6a12f2af6b6c', $false) 'SharePointAdvancedManagementAdministrator' = [MtRoleDefinition]::new('99009c4a-3b3f-4957-82a9-9d35e12db77e', $false) 'SharePointBackupAdministrator' = [MtRoleDefinition]::new('9d3e04ba-3ee4-4d1b-a3a7-9aef423a09be', $false) 'SharePointEmbeddedAdministrator' = [MtRoleDefinition]::new('1a7d78b6-429f-476b-b8eb-35fb715fffd4', $false) 'SkypeForBusinessAdministrator' = [MtRoleDefinition]::new('75941009-915a-4869-abe7-691bff18279e', $false) 'TeamsAdministrator' = [MtRoleDefinition]::new('69091246-20e8-4a56-aa4d-066075b2a7a8', $false) 'TeamsCommunicationsAdministrator' = [MtRoleDefinition]::new('baf37b3a-610e-45da-9e62-d9d1e5e8914b', $false) 'TeamsCommunicationsSupportEngineer' = [MtRoleDefinition]::new('f70938a0-fc10-4177-9e90-2178f8765737', $false) 'TeamsCommunicationsSupportSpecialist' = [MtRoleDefinition]::new('fcf91098-03e3-41a9-b5ba-6f0ec8188a12', $false) 'TeamsDevicesAdministrator' = [MtRoleDefinition]::new('3d762c5a-1b6c-493f-843e-55a3b42923d4', $false) 'TeamsExternalCollaborationAdministrator' = [MtRoleDefinition]::new('2fe872fb-daa8-4afc-8f6c-53c4565cfef4', $false) 'TeamsReader' = [MtRoleDefinition]::new('1076ac91-f3d9-41a7-a339-dcdf5f480acc', $false) 'TeamsTelephonyAdministrator' = [MtRoleDefinition]::new('aa38014f-0993-46e9-9b45-30501a20909d', $false) 'TenantCreator' = [MtRoleDefinition]::new('112ca1a2-15ad-4102-995e-45b0bc479a6a', $false) 'TenantGovernanceAdministrator' = [MtRoleDefinition]::new('1981f584-96e9-4a6f-95b0-f522373f8fae', $false) 'TenantGovernanceReader' = [MtRoleDefinition]::new('e0a4caa6-fe82-443f-b92f-d87341d17b2e', $false) 'TenantGovernanceRelationshipAdministrator' = [MtRoleDefinition]::new('b8e31d83-1534-480f-9b10-0338ded51b7e', $false) 'TenantGovernanceRelationshipReader' = [MtRoleDefinition]::new('124577f8-48ed-456a-839f-13b419002e33', $false) 'UsageSummaryReportsReader' = [MtRoleDefinition]::new('75934031-6c7e-415a-99d7-48dbd49e875e', $false) 'User' = [MtRoleDefinition]::new('a0b1b346-4d3e-4e8b-98f8-753987be4970', $false) 'UserAdministrator' = [MtRoleDefinition]::new('fe930be7-5e62-47db-91af-98c3a49a38b1', $true) 'UserExperienceSuccessManager' = [MtRoleDefinition]::new('27460883-1df1-4691-b032-3b79643e5e63', $false) 'VirtualVisitsAdministrator' = [MtRoleDefinition]::new('e300d9e7-4a2b-4295-9eff-f1c78b36cc98', $false) 'VivaGlintTenantAdministrator' = [MtRoleDefinition]::new('0ec3f692-38d6-4d14-9e69-0377ca7797ad', $false) 'VivaGoalsAdministrator' = [MtRoleDefinition]::new('92b086b3-e367-4ef2-b869-1de128fb986e', $false) 'VivaPulseAdministrator' = [MtRoleDefinition]::new('87761b17-1ed2-4af3-9acd-92a150038160', $false) 'Windows365Administrator' = [MtRoleDefinition]::new('11451d60-acb2-45eb-a7d6-43d0f0125c13', $false) 'WindowsUpdateDeploymentAdministrator' = [MtRoleDefinition]::new('32696413-001a-46ae-978c-ce0f6b3620d2', $false) 'WorkplaceDeviceJoin' = [MtRoleDefinition]::new('c34f683f-4d5a-4403-affd-6615e00e3a7f', $false) 'YammerAdministrator' = [MtRoleDefinition]::new('810a2642-a034-447f-a5e8-41beaa378541', $false) # END AUTO-GENERATED ROLE DEFINITIONS } # Module-scoped hashtable of legacy role identifiers mapped to current canonical identifiers. # Auto-generated by build/Update-MtRoleDefinitions.ps1 when Microsoft renames a role but keeps # the same role template ID. $script:MtRoleAliases = @{ # BEGIN AUTO-GENERATED ROLE ALIASES 'AzureADJoinedDeviceLocalAdministrator' = 'MicrosoftEntraJoinedDeviceLocalAdministrator' # END AUTO-GENERATED ROLE ALIASES } function Get-MtRoleInfo { <# .SYNOPSIS Returns role information for a given role name, including the GUID (template ID) and whether the role is classified as privileged by Microsoft. .DESCRIPTION Returns an MtRoleDefinition object with Id (the role template GUID) and IsPrivileged (whether Microsoft classifies this as a privileged role). The object's ToString() method returns the GUID, so it can be used directly in string contexts for backward compatibility. This data is auto-generated by build/Update-MtRoleDefinitions.ps1 from the Microsoft Entra built-in roles documentation. #> [CmdletBinding()] [OutputType([MtRoleDefinition])] param( # The name of the role to get information for. [string] $RoleName ) if ([string]::IsNullOrWhiteSpace($RoleName)) { return $null } if ($script:MtRoles.ContainsKey($RoleName)) { return $script:MtRoles[$RoleName] } if ($script:MtRoleAliases.ContainsKey($RoleName)) { return $script:MtRoles[$script:MtRoleAliases[$RoleName]] } return $null } |