-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathGet-UserEntraRoleAssignments.ps1
81 lines (65 loc) · 3.04 KB
/
Get-UserEntraRoleAssignments.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
<# Script to get all Role Assignments for a User Identity, both Direct and Indirect (via Group membership).
Roles assigned due to Nested Group membership are also displayed.
The script will throw errors when enumerating for non-existent nested Group membership. Do not take them into consideration, the final results will be valid.
#>
$userUPN = (Get-MgContext).account
$user = Get-MgUser -UserId $userUPN
$userId = $user.Id
function Get-AllGroups {
param (
[string]$principalId
)
$groupMemberships = @()
try {
$directGroups = Get-MgUserMemberOf -UserId $principalId | Where-Object { $_.AdditionalProperties['@odata.type'] -eq '#microsoft.graph.group' }
foreach ($group in $directGroups) {
if ($group) {
$groupMemberships += $group
# Recursive call to find groups the current group is a member of (nested groups)
$nestedGroups = Get-AllGroups -principalId $group.Id
$groupMemberships += $nestedGroups
} else {
Write-Warning "Group ID '$($group.Id)' could not be found or has been deleted."
}
}
} catch {
Write-Warning "Failed to retrieve group memberships for Principal ID: $principalId. Error: $_"
}
return $groupMemberships
}
$directRoles = Get-MgRoleManagementDirectoryRoleAssignment -Filter "principalId eq '$userId'"
$allRoles = @()
foreach ($role in $directRoles) {
try {
$roleDefinitionId = $role.RoleDefinitionId
$roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $roleDefinitionId
$scope = if ($role.DirectoryScopeId) { $role.DirectoryScopeId } else { "Tenant-wide" }
$allRoles += [PSCustomObject]@{
DisplayName = $roleDefinition.DisplayName
Description = $roleDefinition.Description
Scope = $scope
}
} catch {
Write-Warning "Failed to retrieve role definition for RoleDefinitionId: $($role.RoleDefinitionId)"
}
}
$groups = Get-AllGroups -principalId $userId
foreach ($group in $groups) {
$groupId = $group.Id
$roleAssignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "principalId eq '$groupId'"
foreach ($roleAssignment in $roleAssignments) {
try {
$roleDefinitionId = $roleAssignment.RoleDefinitionId
$roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $roleDefinitionId
$scope = if ($roleAssignment.DirectoryScopeId) { $roleAssignment.DirectoryScopeId } else { "Tenant-wide" }
$allRoles += [PSCustomObject]@{
DisplayName = $roleDefinition.DisplayName
Description = $roleDefinition.Description
Scope = $scope
}
} catch {
Write-Warning "Failed to retrieve role definition for RoleDefinitionId: $($role.RoleDefinitionId)"
}
}
}
$allRoles | Sort-Object DisplayName -Unique | Format-Table -Property DisplayName, Description, Scope