List All Global Administrators in Microsoft 365 Using Graph PowerShell
Knowing who holds Global Administrator privileges in your Microsoft 365 tenant is essential for ensuring security, compliance, and proper role delegation. Microsoft Graph PowerShell makes it easy to retrieve this information using modern authentication and secure API calls.
This article provides a ready-to-use script, explains how it works, and offers ways to enhance it further for robust admin auditing.
The Script – List Global Admins with UPN, Department & Job Title
# Connect to Microsoft Graph with required permissions
Connect-MgGraph -Scopes "Directory.Read.All", "RoleManagement.Read.Directory"
# Get the role ID for Global Administrator (also known as Company Administrator)
$globalAdminRole = Get-MgDirectoryRole | Where-Object {$_.DisplayName -eq "Global Administrator"}
if ($null -eq $globalAdminRole) {
Write-Host "Global Administrator role not found. It may not be activated in your directory." -ForegroundColor Yellow
} else {
# Get all members assigned to the Global Administrator role
$globalAdmins = Get-MgDirectoryRoleMember -DirectoryRoleId $globalAdminRole.Id
# Filter and display user details
$globalAdmins | Where-Object {$_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.user'} | ForEach-Object {
$userId = $_.Id
$user = Get-MgUser -UserId $userId -Property UserPrincipalName, Department, JobTitle
[PSCustomObject]@{
UserPrincipalName = $user.UserPrincipalName
Department = $user.Department
JobTitle = $user.JobTitle
}
} | Format-Table -AutoSize
}
How the Script Works
- Connects to Microsoft Graph:
- Directory.Read.All
- RoleManagement.Read.Directory
- Fetches the Global Admin Role ID:
- Retrieves Role Members:
- Filters for User Accounts Only:
- Displays Key User Info:
- UserPrincipalName
- Department
- JobTitle and displays them in a clean table.
The script first prompts you to authenticate using Connect-MgGraph with the required scopes:
It retrieves the directory role named Global Administrator (also known internally as Company Administrator).
Using the role ID, it fetches all assigned members with Get-MgDirectoryRoleMember.
Since role members may include service principals or groups, it filters only user objects using the @odata.type field.
For each Global Admin user, it fetches:
Get-MgDirectoryRole in Graph APIWhen working with Graph PowerShell, the Get-MgDirectoryRole cmdlet helps you list the admin roles you have used or assigned internally in your tenant..
Use
Get-MgDirectoryRole with a filter like displayName eq 'Company Administrator' to locate the role object.
Once you’ve identified the correct role ID, use
Get-MgDirectoryRoleMember to list all users assigned to that role.This provides an up-to-date view of all Admins (global admin, global reader etc.,) in your tenant, based on role membership in Microsoft Entra ID (Azure AD).
Further Enhancing the Script
You can improve or extend the script in several ways:
- Export to CSV:
... | Export-Csv "GlobalAdmins.csv" -NoTypeInformationGet-MgUser -UserId $userId -Property UserPrincipalName, Department, JobTitle, DisplayNameUse Cases
- Security Audits: Ensure least privilege by reviewing who has top-level access.
- Onboarding/Offboarding Reviews: Monitor if accounts retain Global Admin access unnecessarily.
- Compliance Checks: Prove to internal or external auditors that admin roles are reviewed regularly.
- Delegation Optimization: Identify accounts that could be moved to lower-privileged roles.
Frequently Asked questions
- How often should I review the list of Global Admins in my tenant?
- Why is limiting the number of Global Admins important?
- Can I export the Global Admins list for reporting or auditing purposes?
It’s best practice to review the list of Global Admins at least once a month. Over time, admins may change roles or responsibilities, and keeping this role limited to the minimum required users ensures stronger security.
Global Admins have full access across Microsoft 365, including user management, security, and billing. Too many Global Admins increases the risk of accidental misconfigurations or malicious insider actions. Following the principle of least privilege is strongly recommended.
Yes. After retrieving the Global Admins with Graph PowerShell, you can pipe the results into Export-Csv to generate a report. This is useful for compliance audits and regular security reviews.
Possible Errors & Solutions
| Error | Cause | Solution |
| Global Administrator role not found | The role hasn't been activated yet in your tenant. | Assign at least one user to the role via the Microsoft 365 admin center. |
| Access Denied. Insufficient privileges to complete the operation. | Your account lacks permission to read directory roles. | Use an account with Global Admin or Privileged Role Admin rights. |
| Get-MgDirectoryRoleMember: Resource not found | The role ID was invalid or not resolved correctly. | Ensure the $globalAdminRole is correctly retrieved before using its ID. |
| The term 'Connect-MgGraph' is not recognized as the name of a cmdlet... | Microsoft Graph PowerShell module is not installed. | Install it using Install-Module Microsoft.Graph -Scope CurrentUser. |
Conclusion
This Graph PowerShell script is a simple yet powerful way to list all Global Administrators in your Microsoft 365 tenant. It helps you stay on top of privileged access and maintain strong security hygiene.
Whether you're performing audits, cleaning up excessive admins, or building a security dashboard, this script can be your starting point. With Microsoft Graph, you can automate and scale admin checks across your organization.