M365Corner
M365 PowerShell

Fetch All Eligible Admins Using Microsoft Graph PowerShell (PIM Report)

Privileged Identity Management (PIM) allows organizations to grant just-in-time administrative access by assigning users as eligible admins instead of permanent ones. From an auditing and security standpoint, knowing who is eligible for which admin role is just as important as knowing who is currently active.

In this article, we’ll walk through a Microsoft Graph PowerShell script that retrieves all eligible admins in Entra ID, displays their details on the console, and exports the data to a CSV file for reporting or audit purposes.

🚀 Community Edition Released!

Try the M365Corner Microsoft 365 Reporting Tool — your DIY pack with 20+ out-of-the-box M365 reports for Users, Groups, and Teams.

i) The Script

The following script fetches all eligible role assignments, resolves the user details and role names, prints the results to the console, and exports them to a CSV file.

Required permissions

Make sure you connect to Microsoft Graph with the following permissions:

  • RoleManagement.Read.Directory
  • Directory.Read.All
Connect-MgGraph -Scopes "RoleManagement.Read.Directory","Directory.Read.All"

PowerShell Script – Fetch Eligible Admins

$CsvPath = "EligibleAdmins_Report.csv"

# Fetch all eligible role assignment schedule instances
$EligibleAssignments = Get-MgRoleManagementDirectoryRoleEligibilityScheduleInstance -All

$Results = foreach ($Assignment in $EligibleAssignments) {

    # Get role definition
    $Role = Get-MgRoleManagementDirectoryRoleDefinition `
                -UnifiedRoleDefinitionId $Assignment.RoleDefinitionId

    # Get user details
    $User = Get-MgUser `
                -UserId $Assignment.PrincipalId `
                -Property DisplayName,UserPrincipalName

    [PSCustomObject]@{
        DisplayName       = $User.DisplayName
        UserPrincipalName = $User.UserPrincipalName
        RoleName          = $Role.DisplayName
        AssignmentType    = "Eligible"
        Scope             = if ($Assignment.DirectoryScopeId -eq "/") {
                                "Tenant"
                            } else {
                                $Assignment.DirectoryScopeId
                            }
        StartDateTime     = $Assignment.StartDateTime
        EndDateTime       = $Assignment.EndDateTime
    }
}

# Display results in console
$Results | Format-Table -AutoSize

# Export results to CSV
$Results | Export-Csv -Path $CsvPath -NoTypeInformation -Encoding UTF8

Write-Host "`nEligible Admins report exported to $CsvPath" -ForegroundColor Green

ii) How the Script Works

Let’s break down what the script is doing step by step.

  1. Fetching eligible admin assignments

    2. Get-MgRoleManagementDirectoryRoleEligibilityScheduleInstance -All

    This cmdlet retrieves all PIM eligible role assignments in the tenant.
    It does not return active (activated) admins — only users who are eligible to activate a role.

    The -All parameter ensures pagination is handled correctly.

  2. Resolving role names

    3. Each eligible assignment only contains a RoleDefinitionId.
    To convert that ID into a readable role name (e.g., Global Administrator), the script calls:

    Get-MgRoleManagementDirectoryRoleDefinition

    This is the correct Graph PowerShell cmdlet for Entra ID role definitions.

  3. Resolving user details

    4. The eligible assignment also contains a PrincipalId, which represents the user.
    The script retrieves:

    • Display Name
    • User Principal Name (UPN)

    using: Get-MgUser

  4. Handling scope

    5. if ($Assignment.DirectoryScopeId -eq "/") { "Tenant" }

    • / indicates a tenant-wide role
    • Anything else represents a scoped assignment
  5. Output and export
    • Results are shown in the console using Format-Table
    • The same dataset is exported to a CSV file for audits, reviews, or compliance reporting

iii)Further Enhancements

This script is intentionally kept simple and readable. Here are a few enhancements you can consider later:

  • Combine Eligible + Active admins in a single report
  • Filter results by specific roles (e.g., Global Admin only)
  • Split CSV files per role
  • Add LastSignInActivity for risk analysis
  • Cache role definitions to improve performance in large tenants
  • Add scheduled execution for periodic audits

iv) Possible Errors & Solutions

Error Cause Solution
Cmdlet not recognized
Get-MgDirectoryRoleDefinition is not recognized		 This cmdlet does not exist in Graph PowerShell. Always use:
Get-MgRoleManagementDirectoryRoleDefinition
Error: Insufficient privileges
Authorization_RequestDenied		 Missing Graph permissions. Reconnect with:
Connect-MgGraph -Scopes "RoleManagement.Read.Directory","Directory.Read.All"
and ensure admin consent is granted.
Empty results No eligible admins exist in the tenant, or PIM is not enabled. Verify PIM is enabled and users have eligible role assignments.

v) Conclusion

Eligible admins represent latent privilege in an organization — access that can be activated at any time. Regularly reviewing these assignments is critical for security posture, compliance, and least-privilege enforcement.

This Microsoft Graph PowerShell script gives administrators a clear, exportable view of all eligible admins, making it ideal for audits, security reviews, and governance reporting.

As always, Graph PowerShell makes it possible to automate what would otherwise be a manual and error-prone task in the portal.

Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                

                

                

                

                

            

        

    


 
            

        

    

    
    
    
    

        

            © m365corner.com. All Rights Reserved.
            Design by HTML Codex