Fetch Administrative Unit Member Info Using Graph PowerShell

When you query an Administrative Unit’s members via Get-MgDirectoryAdministrativeUnitMember, you receive generic directory objects (IDs). To turn those into meaningful user details (DisplayName, UPN), you can iterate through the IDs and resolve each with Get-MgUser. The “try-get-user” approach below is SDK-agnostic and reliably handles mixed member types (users, groups, devices) without relying on @odata.type.

i) Script

Import-Module Microsoft.Graph.Identity.DirectoryManagement
Import-Module Microsoft.Graph.Users
Connect-MgGraph -Scopes "AdministrativeUnit.Read.All","User.Read.All"
                                
$auId = "c581d4ff-2e8c-45ae-9ddf-a88ab8947a7b"
$members = Get-MgDirectoryAdministrativeUnitMember -AdministrativeUnitId $auId -All
                                
$users = foreach ($m in $members) {
try {
    Get-MgUser -UserId $m.Id -Property Id,DisplayName,UserPrincipalName,JobTitle,Department -ErrorAction Stop
} catch {
    # Not a user or not found; skip
}
}
                                
$users | Select-Object DisplayName,UserPrincipalName,JobTitle,Department,Id
                            

ii) How the Script Works

1. Modules & Permissions
• Loads Identity.DirectoryManagement (for AU members) and Users (for user lookups).
• Connects with delegated scopes AdministrativeUnit.Read.All and User.Read.All.
2. Fetch AU Members

Get-MgDirectoryAdministrativeUnitMember -All returns a mixed collection of directory objects (users, groups, devices). Each object has an Id, but not necessarily a user-friendly name.

3. Resolve Only Users

The loop attempts Get-MgUser -UserId for every member.

• If the ID belongs to a user, the call succeeds and returns rich user properties.
• If the ID is not a user (e.g., group/device) or is inaccessible, the catch block silently skips it.
4. Output

The final Select-Object projects a clean table: DisplayName, UPN, JobTitle, Department, and Id.

iii) Further Enhancements

• Batching for Speed: Use Graph’s $batch to resolve up to 20 IDs per request and reduce latency.
• Export: Pipe the result to Export-Csv for reporting or audits.
• Role/Group Enrichment: For each user, add role assignments or group memberships using additional Graph queries.
• Filters: Filter users by accountEnabled, department, or custom attributes after resolution.
• Error Logging: In the catch, write to a log with the ID and the error message instead of silently skipping.

iv) Use Cases

• Scoped Admin Audits: Produce a roster of users under a particular AU for access reviews.
• Delegation Validation: Confirm whether the intended users are actually in the AU before assigning scoped roles.
• Compliance & Access Reviews: Export and archive AU membership snapshots for periodic certification.

v) Possible Errors & Solutions

Error	Cause	Solution
Authorization_RequestDenied	Missing AdministrativeUnit.Read.All or User.Read.All	Reconnect with the required scopes; tenant admin consent may be required.
The term 'Get-MgUser' is not recognized	Users module not installed/loaded	Install-Module Microsoft.Graph.Users -Scope CurrentUser and import it. (Or install the unified Microsoft.Graph.)
Empty output	AU has no user members, or IDs are groups/devices only	Validate AU contents in Entra admin center; optionally add logging in catch to verify skipped IDs.
Intermittent failures / throttling	Service limits during large AU lookups	Add retry/backoff; consider $batch to reduce the number of requests.

Conclusion

This “try-get-user” pattern is a dependable way to turn raw AU membership IDs into meaningful user details, without depending on SDK-specific type hints. It gracefully skips non-user objects, works across tenants and module versions, and can be easily extended for reporting or compliance workflows.