Maester

2.1.51-preview

internal/Get-MtRoleInfo.ps1

class MtRoleDefinition {
    [string]$Id
    [bool]$IsPrivileged

    MtRoleDefinition([string]$id, [bool]$isPrivileged) {
        $this.Id = $id
        $this.IsPrivileged = $isPrivileged
    }

    [string] ToString() {
        return $this.Id
    }
}

# Module-scoped hashtables of all Entra ID built-in role definitions and aliases.
# Auto-generated by build/Update-MtRoleDefinitions.ps1 from the Microsoft Entra
# built-in roles permissions reference (public, no auth required).
# To update, run: build/Update-MtRoleDefinitions.ps1
#
# These tables are populated lazily on first use (see Get-MtRoleInfo) rather than
# at module load. Assigning them at the top level of this class-bearing file is
# unreliable on some PowerShell runtimes: when Maester.psm1 dot-sources this file
# during Import-Module, the load-time assignment of $script:MtRoles can fail to
# persist into the Pester test-execution context (reproduced on pwsh 7.5.0, 7.6.1
# and 7.6.2 on Linux during Invoke-Maester -- not a PowerShell-version regression),
# leaving the table $null at call time so Get-MtRoleInfo throws "You cannot call a
# method on a null-valued expression". Initializing inside a function avoids that.
<#
.SYNOPSIS
Initializes the cached Microsoft Entra role definition lookup tables used by Maester.

.DESCRIPTION
Populates the module-scoped role definition and alias hashtables on first use. This
helper supports Get-MtRoleInfo and Get-MtRoleMember by loading the auto-generated
built-in role metadata lazily so the cache remains available across PowerShell
module import and test execution contexts.
#>
function Initialize-MtRoleDefinition {
    [CmdletBinding()]
    param()

    if ($null -ne $script:MtRoles -and $null -ne $script:MtRoleAliases) { return }

    $script:MtRoles = @{
    # BEGIN AUTO-GENERATED ROLE DEFINITIONS
    'AgentIDAdministrator' = [MtRoleDefinition]::new('db506228-d27e-4b7d-95e5-295956d6615f', $true)
    'AgentIDDeveloper' = [MtRoleDefinition]::new('adb2368d-a9be-41b5-8667-d96778e081b0', $false)
    'AgentRegistryAdministrator' = [MtRoleDefinition]::new('6b942400-691f-4bf0-9d12-d8a254a2baf5', $false)
    'AIAdministrator' = [MtRoleDefinition]::new('d2562ede-74db-457e-a7b6-544e236ebb61', $true)
    'AIReader' = [MtRoleDefinition]::new('1fe13547-53f6-408d-ac04-7f8eed167b38', $true)
    'ApplicationAdministrator' = [MtRoleDefinition]::new('9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', $true)
    'ApplicationDeveloper' = [MtRoleDefinition]::new('cf1c38e5-3621-4004-a7cb-879624dced7c', $true)
    'AttackPayloadAuthor' = [MtRoleDefinition]::new('9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f', $false)
    'AttackSimulationAdministrator' = [MtRoleDefinition]::new('c430b396-e693-46cc-96f3-db01bf8bb62a', $false)
    'AttributeAssignmentAdministrator' = [MtRoleDefinition]::new('58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d', $false)
    'AttributeAssignmentReader' = [MtRoleDefinition]::new('ffd52fa5-98dc-465c-991d-fc073eb59f8f', $false)
    'AttributeDefinitionAdministrator' = [MtRoleDefinition]::new('8424c6f0-a189-499e-bbd0-26c1753c96d4', $false)
    'AttributeDefinitionReader' = [MtRoleDefinition]::new('1d336d2c-4ae8-42ef-9711-b3604ce3fc2c', $false)
    'AttributeLogAdministrator' = [MtRoleDefinition]::new('5b784334-f94b-471a-a387-e7219fc49ca2', $false)
    'AttributeLogReader' = [MtRoleDefinition]::new('9c99539d-8186-4804-835f-fd51ef9e2dcd', $false)
    'AttributeProvisioningAdministrator' = [MtRoleDefinition]::new('ecb2c6bf-0ab6-418e-bd87-7986f8d63bbe', $true)
    'AttributeProvisioningReader' = [MtRoleDefinition]::new('422218e4-db15-4ef9-bbe0-8afb41546d79', $true)
    'AuthenticationAdministrator' = [MtRoleDefinition]::new('c4e39bd9-1100-46d3-8c65-fb160da0071f', $true)
    'AuthenticationExtensibilityAdministrator' = [MtRoleDefinition]::new('25a516ed-2fa0-40ea-a2d0-12923a21473a', $true)
    'AuthenticationExtensibilityPasswordAdministrator' = [MtRoleDefinition]::new('0b00bede-4072-4d22-b441-e7df02a1ef63', $true)
    'AuthenticationPolicyAdministrator' = [MtRoleDefinition]::new('0526716b-113d-4c15-b2c8-68e3c22b9f80', $false)
    'AzureDevOpsAdministrator' = [MtRoleDefinition]::new('e3973bdf-4987-49ae-837a-ba8e231c7286', $false)
    'AzureInformationProtectionAdministrator' = [MtRoleDefinition]::new('7495fdc4-34c4-4d15-a289-98788ce399fd', $false)
    'B2CIEFKeysetAdministrator' = [MtRoleDefinition]::new('aaf43236-0c0d-4d5f-883a-6955382ac081', $true)
    'B2CIEFPolicyAdministrator' = [MtRoleDefinition]::new('3edaf663-341e-4475-9f94-5c398ef6c070', $false)
    'BillingAdministrator' = [MtRoleDefinition]::new('b0f54661-2d74-4c50-afa3-1ec803f12efe', $false)
    'CloudApplicationAdministrator' = [MtRoleDefinition]::new('158c047a-c907-4556-b7ef-446551a6b5f7', $true)
    'CloudAppSecurityAdministrator' = [MtRoleDefinition]::new('892c5842-a9a6-463a-8041-72aa08ca3cf6', $false)
    'CloudDeviceAdministrator' = [MtRoleDefinition]::new('7698a772-787b-4ac8-901f-60d6b08affd2', $true)
    'ComplianceAdministrator' = [MtRoleDefinition]::new('17315797-102d-40b4-93e0-432062caca18', $false)
    'ComplianceDataAdministrator' = [MtRoleDefinition]::new('e6d1a23a-da11-4be4-9570-befc86d067a7', $false)
    'ConditionalAccessAdministrator' = [MtRoleDefinition]::new('b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', $true)
    'CustomerDelegatedAdminRelationshipAdministrator' = [MtRoleDefinition]::new('fc8ad4e2-40e4-4724-8317-bcda7503ecbf', $false)
    'CustomerLockboxAccessApprover' = [MtRoleDefinition]::new('5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91', $false)
    'DesktopAnalyticsAdministrator' = [MtRoleDefinition]::new('38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4', $false)
    'DeviceJoin' = [MtRoleDefinition]::new('9c094953-4995-41c8-84c8-3ebb9b32c93f', $false)
    'DeviceManagers' = [MtRoleDefinition]::new('2b499bcd-da44-4968-8aec-78e1674fa64d', $false)
    'DeviceUsers' = [MtRoleDefinition]::new('d405c6df-0af8-4e3b-95e4-4d06e542189e', $false)
    'DirectoryReaders' = [MtRoleDefinition]::new('88d8e3e3-8f55-4a1e-953a-9b9898b8876b', $false)
    'DirectorySynchronizationAccounts' = [MtRoleDefinition]::new('d29b2b05-8046-44ba-8758-1e26182fcf32', $false)
    'DirectoryWriters' = [MtRoleDefinition]::new('9360feb5-f418-4baa-8175-e2a00bac4301', $true)
    'DomainNameAdministrator' = [MtRoleDefinition]::new('8329153b-31d0-4727-b945-745eb3bc5f31', $true)
    'DragonAdministrator' = [MtRoleDefinition]::new('e93e3737-fa85-474a-aee4-7d3fb86510f3', $false)
    'Dynamics365Administrator' = [MtRoleDefinition]::new('44367163-eba1-44c3-98af-f5787879f96a', $false)
    'Dynamics365BusinessCentralAdministrator' = [MtRoleDefinition]::new('963797fb-eb3b-4cde-8ce3-5878b3f32a3f', $false)
    'EdgeAdministrator' = [MtRoleDefinition]::new('3f1acade-1e04-4fbc-9b69-f0302cd84aef', $false)
    'EntraBackupAdministrator' = [MtRoleDefinition]::new('b6a27b2b-f905-4b2e-81b5-0d90e0ef1fdb', $false)
    'EntraBackupReader' = [MtRoleDefinition]::new('f42252d9-5400-4d7b-b9ef-cc582dbb8577', $false)
    'ExchangeAdministrator' = [MtRoleDefinition]::new('29232cdf-9323-42fd-ade2-1d097af3e4de', $false)
    'ExchangeBackupAdministrator' = [MtRoleDefinition]::new('49eb8f75-97e9-4e37-9b2b-6c3ebfcffa31', $false)
    'ExchangeRecipientAdministrator' = [MtRoleDefinition]::new('31392ffb-586c-42d1-9346-e59415a2cc4e', $false)
    'ExtendedDirectoryUserAdministrator' = [MtRoleDefinition]::new('dd13091a-6207-4fc0-82ba-3641e056ab95', $false)
    'ExternalIdentityProviderAdministrator' = [MtRoleDefinition]::new('be2f45a1-457d-42af-a067-6ec1fa63bc45', $true)
    'ExternalIDUserFlowAdministrator' = [MtRoleDefinition]::new('6e591065-9bad-43ed-90f3-e9424366d2f0', $false)
    'ExternalIDUserFlowAttributeAdministrator' = [MtRoleDefinition]::new('0f971eea-41eb-4569-a71e-57bb8a3eff1e', $false)
    'FabricAdministrator' = [MtRoleDefinition]::new('a9ea8996-122f-4c74-9520-8edcd192826c', $false)
    'GlobalAdministrator' = [MtRoleDefinition]::new('62e90394-69f5-4237-9190-012177145e10', $true)
    'GlobalReader' = [MtRoleDefinition]::new('f2ef992c-3afb-46b9-b7cf-a126ee74c451', $true)
    'GlobalSecureAccessAdministrator' = [MtRoleDefinition]::new('ac434307-12b9-4fa1-a708-88bf58caabc1', $false)
    'GlobalSecureAccessLogReader' = [MtRoleDefinition]::new('843318fb-79a6-4168-9e6f-aa9a07481cc4', $false)
    'GroupsAdministrator' = [MtRoleDefinition]::new('fdd7a751-b60b-444a-984c-02652fe8fa1c', $false)
    'GuestInviter' = [MtRoleDefinition]::new('95e79109-95c0-4d8e-aee3-d01accf2d47b', $false)
    'GuestUser' = [MtRoleDefinition]::new('10dae51f-b6af-4016-8d66-8c2a99b929b3', $false)
    'HelpdeskAdministrator' = [MtRoleDefinition]::new('729827e3-9c14-49f7-bb1b-9608f156bbb8', $true)
    'HybridIdentityAdministrator' = [MtRoleDefinition]::new('8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2', $true)
    'IdentityGovernanceAdministrator' = [MtRoleDefinition]::new('45d8d3c5-c802-45c6-b32a-1d70b5e1e86e', $true)
    'InsightsAdministrator' = [MtRoleDefinition]::new('eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c', $false)
    'InsightsAnalyst' = [MtRoleDefinition]::new('25df335f-86eb-4119-b717-0ff02de207e9', $false)
    'InsightsBusinessLeader' = [MtRoleDefinition]::new('31e939ad-9672-4796-9c2e-873181342d2d', $false)
    'IntuneAdministrator' = [MtRoleDefinition]::new('3a2c62db-5318-420d-8d74-23affee5d9d5', $true)
    'IoTDeviceAdministrator' = [MtRoleDefinition]::new('2ea5ce4c-b2d8-4668-bd81-3680bd2d227a', $false)
    'KaizalaAdministrator' = [MtRoleDefinition]::new('74ef975b-6605-40af-a5d2-b9539d836353', $false)
    'KnowledgeAdministrator' = [MtRoleDefinition]::new('b5a8dcf3-09d5-43a9-a639-8e29ef291470', $false)
    'KnowledgeManager' = [MtRoleDefinition]::new('744ec460-397e-42ad-a462-8b3f9747a02c', $false)
    'LicenseAdministrator' = [MtRoleDefinition]::new('4d6ac14f-3453-41d0-bef9-a3e0c569773a', $false)
    'LifecycleWorkflowsAdministrator' = [MtRoleDefinition]::new('59d46f88-662b-457b-bceb-5c3809e5908f', $true)
    'MessageCenterPrivacyReader' = [MtRoleDefinition]::new('ac16e43d-7b2d-40e0-ac05-243ff356ab5b', $false)
    'MessageCenterReader' = [MtRoleDefinition]::new('790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b', $false)
    'Microsoft365BackupAdministrator' = [MtRoleDefinition]::new('1707125e-0aa2-4d4d-8655-a7c786c76a25', $false)
    'Microsoft365MigrationAdministrator' = [MtRoleDefinition]::new('8c8b803f-96e1-4129-9349-20738d9f9652', $false)
    'MicrosoftEntraJoinedDeviceLocalAdministrator' = [MtRoleDefinition]::new('9f06204d-73c1-4d4c-880a-6edb90606fd8', $false)
    'MicrosoftGraphDataConnectAdministrator' = [MtRoleDefinition]::new('ee67aa9c-e510-4759-b906-227085a7fd4d', $false)
    'MicrosoftHardwareWarrantyAdministrator' = [MtRoleDefinition]::new('1501b917-7653-4ff9-a4b5-203eaf33784f', $false)
    'MicrosoftHardwareWarrantySpecialist' = [MtRoleDefinition]::new('281fe777-fb20-4fbb-b7a3-ccebce5b0d96', $false)
    'NetworkAdministrator' = [MtRoleDefinition]::new('d37c8bed-0711-4417-ba38-b4abe66ce4c2', $false)
    'OfficeAppsAdministrator' = [MtRoleDefinition]::new('2b745bdf-0803-4d80-aa65-822c4493daac', $false)
    'OnPremisesDirectorySyncAccount' = [MtRoleDefinition]::new('a92aed5d-d78a-4d16-b381-09adb37eb3b0', $false)
    'OrganizationalBrandingAdministrator' = [MtRoleDefinition]::new('92ed04bf-c94a-4b82-9729-b799a7a4c178', $false)
    'OrganizationalDataSourceAdministrator' = [MtRoleDefinition]::new('9d70768a-0cbc-4b4c-aea3-2e124b2477f4', $false)
    'OrganizationalMessagesApprover' = [MtRoleDefinition]::new('e48398e2-f4bb-4074-8f31-4586725e205b', $false)
    'OrganizationalMessagesWriter' = [MtRoleDefinition]::new('507f53e4-4e52-4077-abd3-d2e1558b6ea2', $false)
    'PartnerTier1Support' = [MtRoleDefinition]::new('4ba39ca4-527c-499a-b93d-d9b492c50246', $true)
    'PartnerTier2Support' = [MtRoleDefinition]::new('e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8', $true)
    'PasswordAdministrator' = [MtRoleDefinition]::new('966707d0-3269-4727-9be2-8c3a10f19b9d', $true)
    'PeopleAdministrator' = [MtRoleDefinition]::new('024906de-61e5-49c8-8572-40335f1e0e10', $false)
    'PermissionsManagementAdministrator' = [MtRoleDefinition]::new('af78dc32-cf4d-46f9-ba4e-4428526346b5', $false)
    'PlacesAdministrator' = [MtRoleDefinition]::new('78b0ccd1-afc2-4f92-9116-b41aedd09592', $false)
    'PowerPlatformAdministrator' = [MtRoleDefinition]::new('11648597-926c-4cf3-9c36-bcebb0ba8dcc', $false)
    'PrinterAdministrator' = [MtRoleDefinition]::new('644ef478-e28f-4e28-b9dc-3fdde9aa0b1f', $false)
    'PrinterTechnician' = [MtRoleDefinition]::new('e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477', $false)
    'PrivilegedAuthenticationAdministrator' = [MtRoleDefinition]::new('7be44c8a-adaf-4e2a-84d6-ab2649e08a13', $true)
    'PrivilegedRoleAdministrator' = [MtRoleDefinition]::new('e8611ab8-c189-46e8-94e1-60213ab1f814', $true)
    'ReportsReader' = [MtRoleDefinition]::new('4a5d8f65-41da-4de4-8968-e035b65339cf', $false)
    'RestrictedGuestUser' = [MtRoleDefinition]::new('2af84b1e-32c8-42b7-82bc-daa82404023b', $false)
    'SearchAdministrator' = [MtRoleDefinition]::new('0964bb5e-9bdb-4d7b-ac29-58e794862a40', $false)
    'SearchEditor' = [MtRoleDefinition]::new('8835291a-918c-4fd7-a9ce-faa49f0cf7d9', $false)
    'SecurityAdministrator' = [MtRoleDefinition]::new('194ae4cb-b126-40b2-bd5b-6091b380977d', $true)
    'SecurityOperator' = [MtRoleDefinition]::new('5f2222b1-57c3-48ba-8ad5-d4759f1fde6f', $true)
    'SecurityReader' = [MtRoleDefinition]::new('5d6b6bb7-de71-4623-b4af-96380a352509', $true)
    'ServiceSupportAdministrator' = [MtRoleDefinition]::new('f023fd81-a637-4b56-95fd-791ac0226033', $false)
    'SharePointAdministrator' = [MtRoleDefinition]::new('f28a1f50-f6e7-4571-818b-6a12f2af6b6c', $false)
    'SharePointAdvancedManagementAdministrator' = [MtRoleDefinition]::new('99009c4a-3b3f-4957-82a9-9d35e12db77e', $false)
    'SharePointBackupAdministrator' = [MtRoleDefinition]::new('9d3e04ba-3ee4-4d1b-a3a7-9aef423a09be', $false)
    'SharePointEmbeddedAdministrator' = [MtRoleDefinition]::new('1a7d78b6-429f-476b-b8eb-35fb715fffd4', $false)
    'SkypeForBusinessAdministrator' = [MtRoleDefinition]::new('75941009-915a-4869-abe7-691bff18279e', $false)
    'TeamsAdministrator' = [MtRoleDefinition]::new('69091246-20e8-4a56-aa4d-066075b2a7a8', $false)
    'TeamsCommunicationsAdministrator' = [MtRoleDefinition]::new('baf37b3a-610e-45da-9e62-d9d1e5e8914b', $false)
    'TeamsCommunicationsSupportEngineer' = [MtRoleDefinition]::new('f70938a0-fc10-4177-9e90-2178f8765737', $false)
    'TeamsCommunicationsSupportSpecialist' = [MtRoleDefinition]::new('fcf91098-03e3-41a9-b5ba-6f0ec8188a12', $false)
    'TeamsDevicesAdministrator' = [MtRoleDefinition]::new('3d762c5a-1b6c-493f-843e-55a3b42923d4', $false)
    'TeamsExternalCollaborationAdministrator' = [MtRoleDefinition]::new('2fe872fb-daa8-4afc-8f6c-53c4565cfef4', $false)
    'TeamsReader' = [MtRoleDefinition]::new('1076ac91-f3d9-41a7-a339-dcdf5f480acc', $false)
    'TeamsTelephonyAdministrator' = [MtRoleDefinition]::new('aa38014f-0993-46e9-9b45-30501a20909d', $false)
    'TenantCreator' = [MtRoleDefinition]::new('112ca1a2-15ad-4102-995e-45b0bc479a6a', $false)
    'TenantGovernanceAdministrator' = [MtRoleDefinition]::new('1981f584-96e9-4a6f-95b0-f522373f8fae', $false)
    'TenantGovernanceReader' = [MtRoleDefinition]::new('e0a4caa6-fe82-443f-b92f-d87341d17b2e', $false)
    'TenantGovernanceRelationshipAdministrator' = [MtRoleDefinition]::new('b8e31d83-1534-480f-9b10-0338ded51b7e', $false)
    'TenantGovernanceRelationshipReader' = [MtRoleDefinition]::new('124577f8-48ed-456a-839f-13b419002e33', $false)
    'UsageSummaryReportsReader' = [MtRoleDefinition]::new('75934031-6c7e-415a-99d7-48dbd49e875e', $false)
    'User' = [MtRoleDefinition]::new('a0b1b346-4d3e-4e8b-98f8-753987be4970', $false)
    'UserAdministrator' = [MtRoleDefinition]::new('fe930be7-5e62-47db-91af-98c3a49a38b1', $true)
    'UserExperienceSuccessManager' = [MtRoleDefinition]::new('27460883-1df1-4691-b032-3b79643e5e63', $false)
    'VirtualVisitsAdministrator' = [MtRoleDefinition]::new('e300d9e7-4a2b-4295-9eff-f1c78b36cc98', $false)
    'VivaGlintTenantAdministrator' = [MtRoleDefinition]::new('0ec3f692-38d6-4d14-9e69-0377ca7797ad', $false)
    'VivaGoalsAdministrator' = [MtRoleDefinition]::new('92b086b3-e367-4ef2-b869-1de128fb986e', $false)
    'VivaPulseAdministrator' = [MtRoleDefinition]::new('87761b17-1ed2-4af3-9acd-92a150038160', $false)
    'Windows365Administrator' = [MtRoleDefinition]::new('11451d60-acb2-45eb-a7d6-43d0f0125c13', $false)
    'WindowsUpdateDeploymentAdministrator' = [MtRoleDefinition]::new('32696413-001a-46ae-978c-ce0f6b3620d2', $false)
    'WorkplaceDeviceJoin' = [MtRoleDefinition]::new('c34f683f-4d5a-4403-affd-6615e00e3a7f', $false)
    'YammerAdministrator' = [MtRoleDefinition]::new('810a2642-a034-447f-a5e8-41beaa378541', $false)
    # END AUTO-GENERATED ROLE DEFINITIONS
    }

    # Legacy role identifiers mapped to current canonical identifiers.
    # Auto-generated by build/Update-MtRoleDefinitions.ps1 when Microsoft renames a
    # role but keeps the same role template ID.
    $script:MtRoleAliases = @{
    # BEGIN AUTO-GENERATED ROLE ALIASES
    'AzureADJoinedDeviceLocalAdministrator' = 'MicrosoftEntraJoinedDeviceLocalAdministrator'
    # END AUTO-GENERATED ROLE ALIASES
    }
}

function Get-MtRoleInfo {
    <#
    .SYNOPSIS
    Returns role information for a given role name, including the GUID (template ID)
    and whether the role is classified as privileged by Microsoft.

    .DESCRIPTION
    Returns an MtRoleDefinition object with Id (the role template GUID) and IsPrivileged
    (whether Microsoft classifies this as a privileged role). The object's ToString() method
    returns the GUID, so it can be used directly in string contexts for backward compatibility.

    This data is auto-generated by build/Update-MtRoleDefinitions.ps1 from the
    Microsoft Entra built-in roles documentation.
    #>
    [CmdletBinding()]
    [OutputType([MtRoleDefinition])]
    param(
        # The name of the role to get information for.
        [string] $RoleName
    )

    if ([string]::IsNullOrWhiteSpace($RoleName)) { return $null }

    # Ensure the role tables are built (lazy init guards against the load-time
    # assignment not persisting on some PowerShell runtimes; see above).
    Initialize-MtRoleDefinition

    if ($script:MtRoles.ContainsKey($RoleName)) {
        return $script:MtRoles[$RoleName]
    }

    if ($script:MtRoleAliases.ContainsKey($RoleName)) {
        return $script:MtRoles[$script:MtRoleAliases[$RoleName]]
    }

    return $null
}