private/helper/m365/entra/user/Get-EntraIdUserAdminRole.ps1
function Get-EntraIdUserAdminRole { <# .SYNOPSIS Get users with admin roles. .DESCRIPTION Returns a list of users with admin roles. .NOTES Requires the following modules: - Microsoft.Graph.Identity.DirectoryManagement .EXAMPLE Get-EntraIdUserAdminRole; #> [cmdletbinding()] [OutputType([System.Collections.ArrayList])] param ( ) BEGIN { # Object array to store users with admin roles. $usersWithAdminRoles = New-Object System.Collections.ArrayList; # Write to log. Write-Log -Category 'Entra' -Subcategory 'User' -Message ('Getting all users') -Level Debug; # Get all users. $users = Get-MgUser -Property 'Id', 'DisplayName', 'UserPrincipalName', 'OnPremisesSyncEnabled', 'AccountEnabled' -All; # Write to log. Write-Log -Category 'Entra' -Subcategory 'User' -Message ('Getting all directory roles') -Level Debug; # Get all roles. $roles = Get-MgDirectoryRole -All; } PROCESS { # Foreach role. foreach ($role in $roles) { # Write to log. Write-Log -Category 'Entra' -Subcategory 'User' -Message ("Getting members of role '{0}'" -f $role.DisplayName) -Level Debug; # Get role members. $roleMembers = Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id; # Foreach role member. foreach ($roleMember in $roleMembers) { # Get user. $user = $users | Where-Object { $_.Id -eq $roleMember.Id }; # If user is null. if ($null -eq $user) { # Continue to next role member. continue; } # If user is not already in the list. if ($usersWithAdminRoles -notcontains $user) { # Cloud native. [bool]$cloudOnly = $false; # If the user is cloud only. if ($null -eq $user.OnPremisesSyncEnabled) { # Set cloud only to true. $cloudOnly = $true; } # Write to log. Write-Log -Category 'Entra' -Subcategory 'User' -Message ("User '{0}' have the role '{1}'" -f $user.UserPrincipalName, $role.DisplayName) -Level Debug; # Add user to list. $usersWithAdminRoles += [PSCustomObject]@{ Id = $user.Id; DisplayName = $user.DisplayName; UserPrincipalName = $user.UserPrincipalName; CloudOnly = $cloudOnly; RoleDisplayName = $role.DisplayName; RoleId = $role.Id; AccountEnabled = $user.AccountEnabled; }; } } } } END { # Return users with admin roles. return $usersWithAdminRoles; } } |