Get-MgRoleManagementDirectoryRoleAssignment: Retrieve Azure AD Role Assignments using Graph PowerShell

When managing permissions across Microsoft 365 and Azure AD, it's vital to understand who holds which role and at what scope. The Get-MgRoleManagementDirectoryRoleAssignment cmdlet from the Microsoft Graph PowerShell SDK lets you query and analyze these role assignments in a standardized way.

This article dives deep into the cmdlet’s syntax, examples, output structure, comparisons, and practical use cases.

Cmdlet Syntax

Get-MgRoleManagementDirectoryRoleAssignment
Get-MgRoleManagementDirectoryRoleAssignment -UnifiedRoleAssignmentId 

What is Get-MgRoleManagementDirectoryRoleAssignment?

This cmdlet retrieves Azure AD role assignments, showing you which users, groups, or service principals have been granted specific directory roles (like Global Admin, User Admin, etc.).

It returns data in the form of unifiedRoleAssignment objects — a standardized model used by Microsoft Graph to represent role assignments across different services like Azure AD and Azure RBAC.

What is a unifiedRoleAssignment Object?

The unifiedRoleAssignment object is a Graph API abstraction that contains key details about:

• Who the role was assigned to (PrincipalId)
• Which role was assigned (RoleDefinitionId)
• Where the role applies (DirectoryScopeId)
• Unique identifier of the assignment (Id)

This unification allows a consistent way to manage RBAC across the Microsoft ecosystem.

Usage Examples

1. Get All Directory Role Assignments

Get-MgRoleManagementDirectoryRoleAssignment 

This returns a list of all role assignments in your directory. To extract additional details (e.g., names), you'd combine it with Get-MgUser, Get-MgGroup, or Get-MgServicePrincipal.


2. Get a Specific Role Assignment by ID

Get-MgRoleManagementDirectoryRoleAssignment -UnifiedRoleAssignmentId "lAPpYvVpN0KRkAEhdxReECvy-ge2vZRIgYix4HUDS_4-1"

This fetches the properties and relationships of a specific role assignment by its unique ID.

What Does It Actually Return?

Each result is a unifiedRoleAssignment object containing:

• Id – Unique assignment identifier
• PrincipalId – User/Group/ServicePrincipal assigned the role
• RoleDefinitionId – The directory role (e.g., Global Admin)
• DirectoryScopeId – Usually / (tenant-wide) or a specific scope

To map the IDs to actual names, additional Graph queries are needed .

Comparison: Get-MgRoleManagementDirectoryRoleAssignment vs Get-MgDirectoryRole

Feature	Get-MgDirectoryRole	Get-MgRoleManagementDirectoryRoleAssignment
Get-MgRoleManagementDirectoryRoleAssignment	Lists activated directory roles	Lists assignments of roles to users/groups/SPs
Object type	directoryRole	unifiedRoleAssignment
Shows who is assigned?	❌ No	✅ Yes
Shows role definitions?	✅ (for activated roles)	✅ (referenced via RoleDefinitionId)
Supports group/SP assignments?	❌	✅
Supports scope (e.g., apps)?	❌	✅ (via DirectoryScopeId)
PIM eligibility/activation?	❌	❌ (Use Schedule* cmdlets instead)

Frequently Asked Questions

• Why don’t I see certain roles when running Get-MgDirectoryRole?

Only roles that have been activated (i.e., assigned to at least one user or app) will appear in the Get-MgDirectoryRole results. To activate a role, use Enable-MgDirectoryRole with the corresponding role template ID.

• How can I differentiate between users and service principals assigned to a directory role?

Each object returned by Get-MgDirectoryRoleMember includes an @odata.type property. Use this to distinguish between users (microsoft.graph.user) and service principals (microsoft.graph.servicePrincipal).

• Can I retrieve all users assigned to a specific admin role like Global Administrator?

Yes. First retrieve the role ID using a filter like:

(Get-MgDirectoryRole | Where-Object {$_.DisplayName -eq "Global Administrator"}).Id

Then use Get-MgDirectoryRoleMember -RoleId to fetch assigned members.

• Is role activation via New-MgDirectoryRole a one-time process?

Yes, activating a directory role with New-MgDirectoryRole is a one-time action per tenant per role template. Once activated, the role will remain visible to Graph queries unless manually removed or deactivated.

Cmdlet Tips

• Use -All to retrieve all records instead of paginated default results.
• Combine with Get-MgUser, Get-MgGroup, and Get-MgServicePrincipal to resolve IDs into friendly names.
• Role names can be resolved using Get-MgRoleManagementDirectoryRoleDefinition.
• Always connect using:

Connect-MgGraph -Scopes "RoleManagement.Read.Directory", "Directory.Read.All"

Possible Errors & Solutions

Error Message	Cause	Solution
Access Denied	Missing permissions	Add scopes: "RoleManagement.Read.Directory" and "Directory.Read.All"
Resource not found	Invalid or deleted PrincipalId or role assignment	Ensure valid assignment IDs; check for deleted objects
Empty results	Role assignments not present or filtered incorrectly	Use -All and remove any filters

Use Cases

• Security Audit: Know who has high-privilege roles (e.g., Global Administrator).
• Delegation Review: Validate role-based access for external apps or delegated teams.
• Access Documentation: Generate reports for compliance or governance.
• Role Cleanup: Identify stale or risky assignments to users or apps no longer in use.

Conclusion

The Get-MgRoleManagementDirectoryRoleAssignment cmdlet is essential for role governance in Microsoft 365. By providing a unified and scalable way to review who has access to what, it helps admins enforce the principle of least privilege across the tenant.

Pair it with other Graph cmdlets like Get-MgUser, Get-MgGroup, and Get-MgServicePrincipal to produce clear, human-readable reports. If you're serious about managing administrative access — this cmdlet is your starting point.