when I run this command:

Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $global:varTenant.ObjectId | Format-List

None of the results have any values for the fields I've outlined in red. For example, roles that I know have active assignments don't show any value in the ActiveAssignmentCount property. How can I get those values to populate?

CodePudding user response：

I tried in my environment and got below results:

When I execute the commands and got same output like below :

Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $global:varTenant.ObjectId | Format-List

• I have checked this MSDocs. As per my understand role definition command shows the default value for the PIM.

You can get the active and eligible assignments by running this command:

Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId "< tenant Id >" -Filter "subjectId eq '< User id>'''

Output:

Make use of below scripts to get the Active assignments count and Eligible assignments count.

Activeassignmentscount:

To get the specific user for Activeassignmentcount you can use this script.

$Pims= Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId "< Tenant ID>" -Filter "subjectId eq '< User object Id >'"
$count=0
Foreach($pim in $Pims.AssignmentState)
{
If($pim -eq “Active” )
{
$count  
$ActiveAssignmentCount=$count
}
}

Write-Host "ActiveAssignmentCount = " $ActiveAssignmentCount
Write-Host " "

Powershell:

Eligibleassignmentscount:

To get the specific user for Eligibleassignmentcount you can use this script.

$Pims= Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId "< Tenantid >" -Filter "subjectId eq 'userid'"
$count=0
Foreach($pim in $Pims.AssignmentState)
{
If($pim -eq “Eligible” )
{
$count  
$EligibleAssignmentCount=$count
}
}Write-Host "EligibleAsssignmentCount = " $EligibleAssignmentCount Write-Host " "

Refer this link you can also get the process through graph explorer.