Get-MgRoleReport

SYNOPSIS

Get-MgRoleReport.ps1 - Reports on Microsoft Entra ID (Azure AD) roles

SYNTAX

Get-MgRoleReport [-IncludeEmptyRoles] [[-IncludePIMEligibleAssignments] <Boolean>] [-ForceNewToken]
 [-MaesterMode] [-ProgressAction <ActionPreference>] [<CommonParameters>]

DESCRIPTION

By default, the report contains only the roles with members. To get all the role, included empty roles, add -IncludeEmptyRoles $true

EXAMPLES

EXAMPLE 1

Get-MgRoleReport

Get all the roles with members, including PIM eligible assignments but without empty roles

EXAMPLE 2

Get-MgRoleReport -IncludeEmptyRoles

Get all the roles, including the ones without members

EXAMPLE 3

Get-MgRoleReport -IncludePIMEligibleAssignments $false
Get all the roles with members (without empty roles), but without PIM eligible assignments

EXAMPLE 4

Get-MgRoleReport | Export-CSV -NoTypeInformation "$(Get-Date -Format yyyyMMdd)_adminRoles.csv" -Encoding UTF8

PARAMETERS

-IncludeEmptyRoles

Switch parameter to include empty roles in the report

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-IncludePIMEligibleAssignments

Boolean parameter to include PIM eligible assignments in the report. Default is $true

Type: Boolean
Parameter Sets: (All)
Aliases:

Required: False
Position: 1
Default value: True
Accept pipeline input: False
Accept wildcard characters: False

-ForceNewToken

Switch parameter to force getting a new token from Microsoft Graph

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-MaesterMode

Switch parameter to use with the Maester framework (internal process not presented here)

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-ProgressAction

Type: ActionPreference
Parameter Sets: (All)
Aliases: proga

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

The report is output to an array contained all the audit logs found.

To export in a csv, do Get-MgRoleReport | Export-CSV -NoTypeInformation "$(Get-Date -Format yyyyMMdd)_adminRoles.csv" -Encoding UTF8

NOTES

Written by Bastien Perez (Clidsys.com - ITPro-Tips.com) For more Office 365/Microsoft 365 tips and news, check out ITPro-Tips.com.

Version History:

[1.8.2] - 2025-10-17

Changed

Fix onPremisesSyncEnabled property

[1.8.1] - 2025-10-17

Added

Add RecommendationSync property

[1.8.0] - 2025-10-08

Added

Add IncludeEmptyRoles switch parameter to get all roles, even the ones without members

Changed

Use List for mgRoles for better performance

[1.7.0] - 2025-04-04

Changed

Add scopes for RoleManagement.Read.All and AuditLog.Read.All permissions

[1.6] - 2025-02-26

Changed

Add permissionsNeeded variable
Add onpremisesSyncEnabled property for groups
Add all type objects in the cache array
Add LastNonInteractiveSignInDateTime property for users

[1.5.0] - 2025-02-25

Changed

Always return true or false for onPremisesSyncEnabled properties
Fix issues with objectsCacheArray that was not working
Sign-in activity tracking for service principals

Plannned for next release

Switch to Invoke-MgGraphRequest instead of Get-Mg* CMDlets

[1.4.0] - 2025-02-13

Added

Sign-in activity tracking for users
Account enabled status.
On-premises sync enabled status.
Remove old parameters
Test if already connected to Microsoft Graph and with the right permissions

[1.3.0] - 2024-05-15

Changed

Changes not specified.

[1.2.0] - 2024-03-13

Changed

Changes not specified.

[1.1.0] - 2023-12-01

Changed

Changes not specified.

[1.0.0] - 2023-10-19

Initial Release

https://itpro-tips.com/get-the-office-365-admin-roles-and-track-the-changes/

SYNOPSIS​

SYNTAX​

DESCRIPTION​

EXAMPLES​

EXAMPLE 1​

EXAMPLE 2​

EXAMPLE 3​

EXAMPLE 4​

PARAMETERS​

-IncludeEmptyRoles​

-IncludePIMEligibleAssignments​

-ForceNewToken​

-MaesterMode​

-ProgressAction​

CommonParameters​

INPUTS​

OUTPUTS​

The report is output to an array contained all the audit logs found.​

To export in a csv, do Get-MgRoleReport | Export-CSV -NoTypeInformation "$(Get-Date -Format yyyyMMdd)_adminRoles.csv" -Encoding UTF8​

NOTES​

[1.8.2] - 2025-10-17​

Changed​

[1.8.1] - 2025-10-17​

Added​

[1.8.0] - 2025-10-08​

Added​

Changed​

[1.7.0] - 2025-04-04​

Changed​

[1.6] - 2025-02-26​

Changed​

[1.5.0] - 2025-02-25​

Changed​

Plannned for next release​

[1.4.0] - 2025-02-13​

Added​

[1.3.0] - 2024-05-15​

Changed​

[1.2.0] - 2024-03-13​

Changed​

[1.1.0] - 2023-12-01​

Changed​

[1.0.0] - 2023-10-19​

Initial Release​

RELATED LINKS​

SYNOPSIS

SYNTAX

DESCRIPTION

EXAMPLES

EXAMPLE 1

EXAMPLE 2

EXAMPLE 3

EXAMPLE 4

PARAMETERS

-IncludeEmptyRoles

-IncludePIMEligibleAssignments

-ForceNewToken

-MaesterMode

-ProgressAction

CommonParameters

INPUTS

OUTPUTS

The report is output to an array contained all the audit logs found.

To export in a csv, do Get-MgRoleReport | Export-CSV -NoTypeInformation "$(Get-Date -Format yyyyMMdd)_adminRoles.csv" -Encoding UTF8

NOTES

[1.8.2] - 2025-10-17

Changed

[1.8.1] - 2025-10-17

Added

[1.8.0] - 2025-10-08

Added

Changed

[1.7.0] - 2025-04-04

Changed

[1.6] - 2025-02-26

Changed

[1.5.0] - 2025-02-25

Changed

Plannned for next release

[1.4.0] - 2025-02-13

Added

[1.3.0] - 2024-05-15

Changed

[1.2.0] - 2024-03-13

Changed

[1.1.0] - 2023-12-01

Changed

[1.0.0] - 2023-10-19

Initial Release

RELATED LINKS