m365Corner
Graph Migration

Migrating from Get-AzureADDirectoryRole to Get-MgDirectoryRole

As Microsoft gradually phases out the AzureAD module in favor of the Microsoft Graph PowerShell SDK, many administrators are transitioning from Get-AzureADDirectoryRole to Get-MgDirectoryRole.

This migration not only ensures continued compatibility with Microsoft 365 but also offers access to a broader range of APIs via a single unified platform — Microsoft Graph.

In this article, we'll walk through how to migrate your scripts and understand the differences using real-world examples.


What You Did Previously with Get-AzureADDirectoryRole

With the AzureAD module, administrators commonly used:

Get-AzureADDirectoryRole
Get-AzureADDirectoryRole | Where-Object { $_.DisplayName -eq "Global Administrator" }
Get-AzureADDirectoryRoleMember -ObjectId <roleObjectId>

These commands allowed you to retrieve directory roles, look them up by name, and list members in each role.


What You Should Do Now with Get-MgDirectoryRole

The Graph PowerShell replacement for these commands is:

  • Get-MgDirectoryRole – to retrieve roles
  • Get-MgDirectoryRoleMember – to fetch members
  • Enhanced filtering, expansion, and access to more properties through Microsoft Graph

Example 1: Get All Directory Roles

Get-MgDirectoryRole

Or with selected properties:

Get-MgDirectoryRole | Select ID, DisplayName, Description

This command retrieves all activated directory roles in your tenant.

Example 2: Get Directory Role by ID

Get-MgDirectoryRole -DirectoryRoleId  | Select ID, DisplayName, Description

Use this to fetch a specific directory role by its unique ID (GUID).

Example 3: Get Directory Role by Display Name

Get-MgDirectoryRole | Where-Object { $_.DisplayName -eq "Global Administrator" } | Select *

Since Graph cmdlets don’t directly support filtering by DisplayName, we pull all roles and filter in PowerShell.

Example 4: Finding Users with Directory Roles in Your Tenant

$roles = Get-MgDirectoryRole

foreach ($role in $roles) {
    Write-Host "`nRole: $($role.DisplayName)"
    $members = Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id
    foreach ($member in $members) {
        Write-Output " - $($member.AdditionalProperties.displayName) ($($member.AdditionalProperties.userPrincipalName))"
    }
}

This loop lists all activated roles and their respective members — very useful for access audits.


What’s Different with Get-MgDirectoryRole?


Feature Get-AzureADDirectoryRole Get-MgDirectoryRole
Module AzureAD Microsoft.Graph
Filter Support Basic filtering Some filters limited; use client-side filters
Consistency Azure AD-specific Unified Graph platform
Availability Deprecated Actively supported and maintained
Expansion Limited Supports -ExpandProperty, -Property, and richer output

🔔 Important: Only activated roles (i.e., those with members) appear in the results of Get-MgDirectoryRole.

Conclusion

Migrating from Get-AzureADDirectoryRole to Get-MgDirectoryRole is a necessary and future-proof step as the AzureAD module becomes deprecated. While the syntax is similar, the Microsoft Graph SDK offers greater flexibility, richer integrations, and a unified programming model.

With the examples above, you can start converting your legacy scripts confidently — ensuring compatibility, automation, and scalability with Microsoft 365.

Visit M365Corner.com for ready-to-use free Microsoft Graph PowerShell tools and step-by-step migration guides built for Microsoft 365 administrators.

Table of Contents

X

Table of Contents


Permission Required

Example:


                                

                                

                                

                                

                                

                            

                        
                    
                    

                        
                    

                


                
            

        

    
    


    
  
    

        
© Your Site Name. All Rights Reserved. 
		
		
		Design by HTML Codex