Finding your admin roles and admins using PowerShell

I am in the process of cleaning up Global Admin roles. One thing you might find as you go along in the mad rush of things, is you accumulate baggage in your environments. You may create accounts for services, for consultants when you had no data in your Office 365/Azure tenants. When you go to review it, you notice that there are way more accounts in there than you intended and you have to clean it up to maintain your security posture and shrink your administrative foot print.

You can search and get these reports within different mechanisms (variations of Azure AD) in the portals, but I tend to always fall back on PowerShell. It will always give you the latest most up-to-date refreshed list, and you get the added benefit of learning PowerShell. Once you have a script, make sure you save it so you can reuse it.

The script

I won’t cover this, but you first have to connect to MSOL Online.

The script looks like this

#Displays lists of roles and their object ID

#Define Variables
$AdminRole = “Company Administrator”
$RoleObjectID = “62e90394-69f5-4237-9190-012177145e10”

#Get List of members in desired role
Get-MsolRoleMember -RoleObjectId $RoleObjectID

$O365Role = Get-MsolRole -RoleName “Company Administrator”
get-MSOLRoleMember -RoleObjectId $O365Role.ObjectID

Get-MSOLRole will allow you to see all of the roles that are available to Azure AD. You might see these represented differently in different products. You might even build some variables around all of these roles so you can easily build PowerShell reports or at least the roles you use.

You’re not actually using this command for anything other than a reference. One of the tricky parts here though is how some of the roles are represented, and they are called different things in different portals. My goal was the cleanup Global Admins, but as you can see there aren’t any Global Admin roles listed here. However; as I read the Descriptions I found that Global Admins is synonymous with Company Admins in this list, and I was able to confirm this with the next cmdlets.

Now I am going to define my variables that I want to utilize. I got these from the above list.

$AdminRole = “Company Administrator”

#RoleObjectID = “62e90394-69f5-4237-9190-012177145e10”

You can choose to use either or, I am just putting them both here to show you both commands that will give you the same results.

In the first example, you can use the RoleObject ID, and get your results quickly in one command. The return will be all of the Members of the Role that has the ObjectID of 62e90394-69f5-4237-9190-012177145e10 which is the Company Adminstrator Role.

Get-MsolRoleMember -RoleObjectId $RoleObjectID

The second way involves two commands, the first to set a variable, and the second to output the objects.

$O365Role = Get-MsolRole -RoleName “Company Administrator”
get-MSOLRoleMember -RoleObjectId $O365Role.ObjectID

PowerShell still remains the best way to automate things in Azure/Office 365.

Leave a comment

Your email address will not be published.