forked from microsoft/FastTrack
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Get-AADAdminRoleMembers.ps1
184 lines (165 loc) · 7.52 KB
/
Get-AADAdminRoleMembers.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
<#
.DESCRIPTION
This script is designed to display all of the members of the Azure AD Administrator Roles. You can filter by three
different parameters. Either "-All" displaying all members from all Administrator Roles, "-UserPrincipalName" to find
out which Roles a specific user is member of, or, "-RoleName" to display the members of a specific role group.
The sample scripts are not supported under any Microsoft standard support
program or service. The sample scripts are provided AS IS without warranty
of any kind. Microsoft further disclaims all implied warranties including,
without limitation, any implied warranties of merchantability or of fitness for
a particular purpose. The entire risk arising out of the use or performance of
the sample scripts and documentation remains with you. In no event shall
Microsoft, its authors, or anyone else involved in the creation, production, or
delivery of the scripts be liable for any damages whatsoever (including,
without limitation, damages for loss of business profits, business interruption,
loss of business information, or other pecuniary loss) arising out of the use
of or inability to use the sample scripts or documentation, even if Microsoft
has been advised of the possibility of such damages.
Author: Brian Baldock - [email protected]
Requirements:
Have the Azure AD PowerShell module installed by following the instructions at this link: https://aka.ms/AAau56t"
.PARAMETER Admin
Madatory Parameter - Admin account utilized for accessing the Microsoft 365 platform
.PARAMETER All
Displays all members from all Administrator Roles. This is the default output
.PARAMETER UserPrincipalName
Specify a specific UserPrincipalName to display roles for that specific user
.PARAMETER RoleName
Specify a specifc roles name to get a list of users who are members of said role
.EXAMPLE
Get a list of all the members of all the Administrator Roles in Azure AD
.\Get-AADAdminRoleMembers.ps1 -Admin [email protected] -All
.EXAMPLE
Get a list of all the roles a user is member of
.\Get-AADAdminRoleMembers.ps1 -Admin [email protected] -UserPrincipalName [email protected]
.EXAMPLE
Display the members for a particular Adminitrator Role
.\Get-AADAdminRoleMembers.ps1 -Admin [email protected] -RoleName "Power BI Service Administrators"
#>
[CmdletBinding(DefaultParameterSetName='All')]
param (
[Parameter(Mandatory=$True,
ParameterSetName='UPN',
HelpMessage='Enter the admin account for the tenant - Example "[email protected]".')]
[Parameter(Mandatory=$True,
ParameterSetName='RoleName',
HelpMessage='Enter the admin account for the tenant - Example "[email protected]".')]
[Parameter(Mandatory=$True,
ParameterSetName='All',
HelpMessage='Enter the admin account for the tenant - Example "[email protected]".')]
[String]$Admin,
[Parameter(Mandatory=$false,
ParameterSetName='All',
HelpMessage='This is the default parameter, will list all "active" admin roles and members.')]
[switch]$All,
[Parameter(Mandatory=$false,
ParameterSetName='UPN',
HelpMessage='Enter the UserPrincipalName - Example "[email protected]".')]
[String]$UserPrincipalName,
[Parameter(Mandatory=$false,
ParameterSetName='RoleName',
HelpMessage='Enter the name of the Admin Role you would like to see members of.')]
[String]$RoleName
)
begin {
function CheckModules{
try{
#Test for AzureAD or AzureADPreview Module
if(Get-Module -ListAvailable -Name "AzureAD"){
return 1
}
elseif(Get-Module -ListAvailable -Name "AzureADPreview"){
return 2
}
else{
return 3
}
}
catch{
return $_.Exception.Message
}
}
try{
switch(CheckModules){
1 {Import-Module AzureAD}
2 {Import-Module AzureADPreview}
3 {
Write-Output "Please install the Azure AD powershell module by following the instructions at this link: https://aka.ms/AAau56t"
break
}
}
}
catch{
return $_.Exception.Message
}
#Check if already connected to AAD:
try{
$TestConnection = Get-AzureADTenantDetail
}
catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException]{
try{
Connect-AzureAD -AccountId $Admin | Out-Null
}
catch{
return $_.Exception.Message
}
}
}
process {
try{
$MemberList = @()
if($PSCmdlet.ParameterSetName -eq "All"){
$RoleList = Get-AzureADDirectoryRole
foreach($Role in $RoleList){
$RoleMembers = Get-AzureADDirectoryRoleMember -ObjectId $Role.ObjectId
$Table = New-Object PSObject -Property @{
ObjectID = ($Role.ObjectId)
RoleName = ($Role.DisplayName)
Member = (@($RoleMembers.UserPrincipalName) -join ', ')
}
$MemberList += $Table
}
}
if($PSCmdlet.ParameterSetName -eq "UPN"){
$RoleList = Get-AzureADDirectoryRole
foreach($Role in $RoleList){
$RoleMembers = Get-AzureADDirectoryRoleMember -ObjectId $Role.ObjectID
foreach($Member in $RoleMembers){
if($Member.UserPrincipalName -eq $UserPrincipalName){
$Table = New-Object PSObject -Property @{
ObjectID = ($Role.ObjectId)
RoleName = ($Role.DisplayName)
Member = ($Member.UserPrincipalName)
}
$MemberList += $Table
}
}
}
}
if ($PSCmdlet.ParameterSetName -eq "RoleName"){
try{
$VerifiedRoleName = Get-AzureADDirectoryRole | Where-Object -Property DisplayName -eq $RoleName
$RoleMembers = Get-AzureADDirectoryRoleMember -ObjectId $VerifiedRoleName.ObjectId
$Table = New-Object PSObject -Property @{
ObjectID = ($VerifiedRoleName.ObjectID)
RoleName = ($VerifiedRoleName.DisplayName)
Member = ""
}
foreach($Member in $RoleMembers){
$Table.Member += "$($Member.UserPrincipalName), "
}
$MemberList += $Table
}
catch{
return $_.Exception.Message
break
}
}
}
catch{
return $_.Exception.Message
}
}
end {
return $MemberList | Select-Object ObjectID, RoleName, Member
}