m365Corner
M365 Blogs

How to Use Get-MgDirectoryRoleMember to Fetch Microsoft 365 Directory Role Members?

Microsoft 365 directory roles define what users and applications can do across your tenant. While you may already know how to view these roles, it's equally important to see who is assigned to each one. The Get-MgDirectoryRoleMember cmdlet in Microsoft Graph PowerShell helps you do just that.

In this article, we’ll walk you through what this cmdlet does, how to use it, and how to retrieve detailed member information—including user display names and even their managers.

What is Get-MgDirectoryRoleMember?

The Get-MgDirectoryRoleMember cmdlet retrieves the members (users, service principals, or groups) assigned to a specific Microsoft 365 directory role. This is extremely useful for role-based access auditing and governance.

By default, the cmdlet returns only the object IDs of assigned members. You can then use other cmdlets like Get-MgUser to pull more detailed information.

Why Use Get-MgDirectoryRoleMember?

Here are a few key reasons to use this cmdlet:

  • Audit who has elevated privileges in your tenant.
  • Fetch real-time user assignments to directory roles like Global Administrator or Teams Administrator.
  • Export role membership data for compliance and reporting.
  • Review access to enforce least privilege principles.

Cmdlet Syntax

Get-MgDirectoryRoleMember -DirectoryRoleId <String>

Parameters:

  • -DirectoryRoleId The unique ID of the activated directory role. You can retrieve this using the Get-MgDirectoryRole cmdlet.

Usage Examples

Retrieve All Members of a Directory Role

$roleId = "f8cdef31-a31e-4b4a-93e4-5f571e91255a" # Replace with your DirectoryRoleId
Get-MgDirectoryRoleMember -DirectoryRoleId $roleId

📌 Note: To find this role ID, run:

Get-MgDirectoryRole | Select Id, DisplayName

Retrieve Directory Role Member Info (Display Name, UPN)

$roleId = "f8cdef31-a31e-4b4a-93e4-5f571e91255a" # Replace with your DirectoryRoleId
$members = Get-MgDirectoryRoleMember -DirectoryRoleId $roleId
                                            
foreach ($member in $members) {
    Get-MgUser -UserId $member.Id | Select-Object Id, DisplayName, UserPrincipalName
}

💡 Tip: The role member output only includes IDs. You need Get-MgUser to fetch user-specific details like name or UPN.

Filtering Members Based on Specific Properties

$roleId = "f8cdef31-a31e-4b4a-93e4-5f571e91255a" # Replace with your DirectoryRoleId
$members = Get-MgDirectoryRoleMember -DirectoryRoleId $roleId
                                            
$filteredMembers = foreach ($member in $members) {
    $user = Get-MgUser -UserId $member.Id
    if ($user.DisplayName -like "Admin*") {
        $user
    }
}
$filteredMembers | Select-Object Id, DisplayName, UserPrincipalName

This script filters role members whose Display Name starts with “Admin”.

Retrieve Members with Manager Details Using -ExpandProperty

$roleId = "f8cdef31-a31e-4b4a-93e4-5f571e91255a" # Replace with your DirectoryRoleId
$members = Get-MgDirectoryRoleMember -DirectoryRoleId $roleId
                                            
foreach ($member in $members) {
    $userWithManager = Get-MgUser -UserId $member.Id -ExpandProperty "manager"
    if ($userWithManager.Manager) {
        $managerDisplayName = $userWithManager.Manager.AdditionalProperties["displayName"]
        [PSCustomObject]@{
            UserId             = $userWithManager.Id
            DisplayName        = $userWithManager.DisplayName
            UserPrincipalName  = $userWithManager.UserPrincipalName
            ManagerDisplayName = $managerDisplayName
        }
    }
}

This helps identify the manager responsible for each user with a role assignment—useful for accountability and audit trails.

Frequently Asked Questions

  • How do I find the DirectoryRoleId?

    • Use the following:

    Get-MgDirectoryRole | Select Id, DisplayName
  • Why do I only see object IDs?

    • That’s by design. Get-MgDirectoryRoleMember returns minimal data. Use Get-MgUser or Get-MgServicePrincipal for detailed lookups.

  • Can I use this for service principals too?

    • Yes. Service principals assigned to roles will also appear in the results.

Use Cases

  • Audit privileged users Audit privileged users assigned to Global or Exchange Administrator roles
  • Generate compliance reports showing who has elevated access
  • Reassign roles after user offboarding
  • Inform HR or security teams about admin privileges and escalation chains

Conclusion

The Get-MgDirectoryRoleMember cmdlet is an essential tool for any Microsoft 365 administrator looking to track who holds privileged roles in their tenant. When paired with Get-MgUser, you get a complete picture of who has access, what they can do, and who they report to.

With just a few lines of code, you can turn complex admin role audits into an automated, repeatable process.

Did You Know? Managing Microsoft 365 applications is even easier with automation. Try our Graph PowerShell scripts to automate tasks like generating reports, cleaning up inactive Teams, or assigning licenses efficiently.

Ready to get the most out of Microsoft 365 tools? Explore our free Microsoft 365 administration tools to simplify your administrative tasks and boost productivity.

© Your Site Name. All Rights Reserved. Design by HTML Codex