To get a list of all users that belong to a given role, the Microsoft Azure Active Directory module has a cmdlet Get-MsolRoleMember, however to run the cmdlet you must use the RoleObjectId parameter and provide a value. The possible values for RoleObjectId can be retrieved by running the Get-MsolRole cmdlet.
To simplify this, I wrote the Get-MsolRoleMemberDetails cmdlet. As you can see from the below screenshot, the list of available roles is dynamically populated.
For this cmdlet I am using Dynamic Parameters as explained in great detail here by Ed Wilson, the Microsoft Scripting Guy.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 |
<# .Synopsis Get-MsolRoleMemberDetails .DESCRIPTION This cmdlet lists the members of the Office 365 and Azure Roles .PARAMETER Role This parameter is optional and allows the selection of a specific Office 365 / Azure Role. .EXAMPLE Get-MsolRoleMemberDetails Lists all Roles and users that have the role assigned .EXAMPLE Get-MsolRoleMemberDetails -Role Company_Administrator List all usres that are have the specified role assigned .NOTES Version 1.0, 20.09.2016, Alex Verboon #> function Get-MsolRoleMemberDetails { [CmdletBinding()] Param() DynamicParam { $attributes = new-object System.Management.Automation.ParameterAttribute $attributes.ParameterSetName = "__AllParameterSets" $attributes.Mandatory = $false $attributeCollection = new-object -Type System.Collections.ObjectModel.Collection[System.Attribute] $attributeCollection.Add($attributes) Try { Get-MsolDomain -ErrorAction Stop > $null } catch { write-error "You must call the Connect-MsolService cmdlet before calling any other cmdlets" Throw } $_Values = ((Get-MsolRole | select-object Name | Sort-object Name).Name) -replace " ","_" If ([string]::IsNullOrEmpty($_Values)) { Write-Error "No Roles found, check your connectivity to Office365/Azure" Throw } $ValidateSet = new-object System.Management.Automation.ValidateSetAttribute($_Values) $attributeCollection.Add($ValidateSet) $Role = new-object -Type System.Management.Automation.RuntimeDefinedParameter("Role", [string], $attributeCollection) $paramDictionary = new-object -Type System.Management.Automation.RuntimeDefinedParameterDictionary $paramDictionary.Add("Role", $Role) return $paramDictionary } Begin { #checking connectivity again, just in case Try { Get-MsolDomain -ErrorAction Stop > $null } catch { if ($cred -eq $null) {$cred = Get-Credential $O365Adminuser} Write-verbose "Connecting to Office 365" Connect-MsolService -Credential $cred } if ($PSBoundParameters.ContainsKey("Role")) { $Role = $Role.value -replace "_"," " write-verbose "Retrieving Role: members for Role $($Role)" $Roles = Get-MsolRole -RoleName "$($Role)" } Else { Write-verbose "Retrieving role members for all available roles" $Roles = Get-MsolRole | Sort-Object Name } } Process { $RoleMemberInfo=@() ForEach($irole in $Roles) { write-verbose $irole.Name Write-verbose $irole.ObjectId $members= Get-MsolRoleMember -RoleObjectId $irole.ObjectID ForEach ($member in $members) { $Userinfo = Get-MsolUser -ObjectId $member.ObjectId -ErrorAction SilentlyContinue $object = New-Object -TypeName PSObject $object | Add-Member -MemberType NoteProperty -Name "Role" -Value $irole.Name $object | Add-Member -MemberType NoteProperty -Name "DisplayName" -Value $member.DisplayName $object | Add-Member -MemberType NoteProperty -Name "ObjectID" -Value $UserInfo.ObjectId $object | Add-Member -MemberType NoteProperty -Name "UserPrincipalName" -Value $UserInfo.UserPrincipalName $object | Add-Member -MemberType NoteProperty -Name "FirstName" -Value $UserInfo.FirstName $object | Add-Member -MemberType NoteProperty -Name "LastName" -Value $UserInfo.LastName $object | Add-Member -MemberType NoteProperty -Name "IsLicensed" -Value $UserInfo.IsLicensed $RoleMemberInfo += $object } } } End { $RoleMemberInfo } } |
Hi,
I noticed you are using the older MSOnline PowerShell module in your examples. It may be useful to start using the newer Azure Active Directory PowerShell V2 module instead, as we will begin deprecating the MSOnline module when we have migrated the functionality of the MSOnline module to the newer module – currently planned for the Spring of 2017.
Thanks,
Rob de Jong