As Microsoft retires the MSOnline module, many administrators are searching for the Graph-based alternatives to their trusted cmdlets. One such cmdlet is Get-MsolUserRole, commonly used to determine what roles or group memberships a user holds. In the Microsoft Graph world, the go-to replacement is Get-MgUserMemberOf.
This article walks you through how to migrate from Get-MsolUserRole to Get-MgUserMemberOf, explains the differences, and provides practical examples to help you adapt seamlessly.
In the MSOnline module, Get-MsolUserRole was primarily used to retrieve the roles assigned to a user, often focusing on administrative or directory roles.
Get-MsolUserRole -UserPrincipalName "john.doe@contoso.com"This command would return a list of roles the user was assigned to — usually directory roles like User Administrator, Global Reader, etc.
However, Get-MsolUserRole only covered directory roles, not group memberships, and is now deprecated.
In the Microsoft Graph PowerShell SDK, use the Get-MgUserMemberOf cmdlet to retrieve all the directory objects (groups, directory roles, administrative units) the user is a direct member of.
Get-MgUserMemberOf -UserId "john.doe@contoso.com" -AllThis lists all objects (including groups and roles) the user is a direct member of — replacing and extending the capability of Get-MsolUserRole.
$userId = "samadmin@7xh7fj.onmicrosoft.com"
$memberOf = Get-MgUserMemberOf -UserId $userId -All
$detailedGroups = @()
foreach ($object in $memberOf) {
$groupId = $object.Id
try {
$group = Get-MgGroup -GroupId $groupId -Select DisplayName, Id
$detailedGroups += $group
} catch {
Write-Warning "Could not retrieve details for group with ID: $groupId"
}
}
$detailedGroups | Format-Table -Property DisplayName, Id -AutoSize
This approach allows you to go beyond raw object IDs and view user-friendly group names.
$userId = "john.doe@contoso.com"
$groups = Get-MgUserMemberOf -UserId $userId -All
$groups | Export-Csv -Path "C:\\UserGroups\\SalesTeamGroups.csv" -NoTypeInformation
Perfect for reporting, audits, or group-based policy checks.
| Old (Get-MsolUserRole) | New (Get-MgUserMemberOf) |
| Returns only directory roles | Returns all memberships (groups, roles, etc.) |
| Limited scope | Broader, Graph-based object results |
| Static module (MSOnline) | Modern Graph-based PowerShell module |
| Basic property output | Rich object metadata (can filter, export, enrich) |
| Deprecated and unsupported | Actively maintained and secure |
💡 Bonus Tip: Use Get-MgUserAppRoleAssignment if you're specifically looking for app or admin role assignments via Graph.
The move from Get-MsolUserRole to Get-MgUserMemberOf is a significant upgrade. You're not just replacing a cmdlet — you're gaining deeper insight into everything a user is a member of, not just their directory roles.
Start using Get-MgUserMemberOf today to future-proof your scripts, boost reporting capabilities, and embrace Microsoft's modern identity platform.
🧭 Visit M365Corner.com for PowerShell migration guides, tools, and admin tips designed to make your transition from MSOL to Microsoft Graph smooth and successful.
© Your Site Name. All Rights Reserved. Design by HTML Codex