How to Use Get-MgDirectoryRoleTemplate to Fetch Entra ID Directory Role Templates?

When managing Microsoft 365 and Azure Active Directory, it's crucial to understand directory roles and how they translate into permissions and access. One useful tool in your Graph PowerShell toolkit is the Get-MgDirectoryRoleTemplate cmdlet. In this post, we'll walk you through what it is, why you should use it, and how to extract meaningful information from directory role templates.

What is Get-MgDirectoryRoleTemplate?

Get-MgDirectoryRoleTemplate is a Microsoft Graph PowerShell cmdlet used to retrieve directory role templates within your Azure Active Directory (AAD) tenant.

A Directory Role Template defines a role that can be activated in AAD—such as Global Administrator, User Administrator, or Exchange Administrator. These templates represent the blueprint of the roles before they're enabled in a tenant.

Once a role based on the template is activated using New-MgDirectoryRole, it becomes a Directory Role that can be assigned to users.

Why Use Get-MgDirectoryRoleTemplate?

Here are a few practical reasons why administrators rely on this cmdlet:

• Identify Available Roles: Understand which roles you can enable in your AAD tenant.
• Map Role Descriptions: Learn what each role is responsible for by reviewing display names and descriptions.
• Script Role Assignments: Use the template ID to activate and assign roles via automation.
• Audit and Documentation: Export all available role templates for security or compliance reporting.

Cmdlet Syntax

Get-MgDirectoryRoleTemplate

Usage Examples

Retrieve All Directory Role Templates

Get-MgDirectoryRoleTemplate

This lists all role templates present in your directory. It can be a long list, so consider piping the output to Select-Object or Format-Table for clarity.

Display Role Templates with Display Name and Description

Get-MgDirectoryRoleTemplate | Select-Object DisplayName, Description

This filters out only the most relevant details: the name of the role and what it does.

Filter Templates by Display Name

Get-MgDirectoryRoleTemplate | Where-Object { $_.DisplayName -like "*Global*" }

Use this if you want to locate specific roles such as “Global Administrator”.

Get a Specific Role Template by ID

$templateId = "62e90394-69f5-4237-9190-012177145e10"
Get-MgDirectoryRoleTemplate | Where-Object { $_.Id -eq $templateId }

This is useful when you already have a Role Template ID and want to fetch its details.

Export All Templates to CSV

Get-MgDirectoryRoleTemplate | Select-Object Id, DisplayName, Description | Export-Csv -Path "RoleTemplates.csv" -NoTypeInformation

Perfect for audits or sharing the list with your team.

Frequently Asked Questions

• What is the difference between a role and a role template?

A role template is a predefined definition of a role. Once activated, it becomes an assignable directory role in your tenant.

• Can I create custom directory role templates?

No, you cannot create custom templates using this cmdlet. Custom roles must be created using Azure AD PIM or Azure role-based access control (RBAC).

• Does this cmdlet require admin permissions?

You need appropriate Microsoft Graph permissions such as Directory.Read.All.

Use Cases

• IT Admin Onboarding: Help new admins understand all available roles they can use in M365.
• Security Review: Audit existing roles to ensure no unauthorized templates are enabled.
• Automation Scripts: Use the templates as reference when enabling and assigning roles via automation.
• Documentation and Governance: Keep track of the original templates for internal policy management.

Conclusion

The Get-MgDirectoryRoleTemplate cmdlet is a simple but powerful way to explore what roles exist in Azure Active Directory—even before they are enabled. Whether you're auditing your environment, setting up automation, or just getting familiar with available permissions, this cmdlet helps you stay informed and in control.

Explore more Graph PowerShell articles and scripts to master M365 management effortlessly!