Home > front end >  Get-MgDirectoryRoleMember returns "does not exist or one of its queried reference-property obje
Get-MgDirectoryRoleMember returns "does not exist or one of its queried reference-property obje

Time:07-29

I'm trying to return a list of users within a certain Azure AD Role, say Application Administrators, for example.

I'm running the cmdlet Get-MgDirectoryRoleMember from the Microsoft.Graph SDK module (the SDK being new to me), but running into an error for every role I try to query.

Get-MgDirectoryRoleMember -DirectoryRoleId "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"

But it returns (for any role ID):

Get-MgDirectoryRoleMember : Resource '9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3' does not exist or one of its queried reference-property objects are not present.
At line:1 char:1
  Get-MgDirectoryRoleMember -DirectoryRoleId "9b895d92-2cd3-44c7-9d02-a ...

The Role ID of "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3" is universal for the Application Administrator, as is shown in the docs here for App Admin Template ID. So I know that it's a correct ID for that role template.

My only other thought is permission based, checking the required roles for this command by using Find-MgGraphCommand -command Get-MGDirectoryRoleMember | Select -First 1 -ExpandProperty Permissions

I find that RoleManagement.Read.Directory should be all that is required according to this corresponding description it returns:

Allows the app to read the role-based access control (RBAC) settings for your company's directory, on your behalf.  This includes reading directory role templates, directory roles and memberships.

Any direction would be much appreciated, thank you!

EDIT: This really turned into a question on the difference between Get-MGDirectoryRole and Get-MGDirectoryRoleTemplate. My last comment on scottwtang's answer clarifies the difference with a link to Microsoft documentation.

CodePudding user response:

The documentation you linked contains the role template ID, the cmdlet Get-MgDirectoryRoleMember requires the role ID.

You can get the role ID using Get-MgDirectoryRole. See the object output below with the 2 different Ids.

DeletedDateTime      : 
Description          : Can create and manage all aspects of app registrations and enterprise apps.
DisplayName          : Application Administrator
Id                   : b68e3c0d-282b-4914-bd21-f1e11f4562a0
Members              : 
RoleTemplateId       : 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3
ScopedMembers        : 
AdditionalProperties : {}

Example

You can first use Get-MgDirectoryRole to get the role ID, and then feed it into Get-MgDirectoryRoleMember

$roleName = "Application Administrator"

# Get the directory role
$adminRole = Get-MgDirectoryRole -Filter "DisplayName eq '$RoleName'"

# Get all role assignments
Get-MgDirectoryRoleMember -DirectoryRoleId $adminRole.Id

Note, if the admin role hasn't been activated (the role has not ever been assigned), Get-MgDirectoryRole will fail, so you need to activate the role first.

$roleName = "Application Administrator"

# Get the directory role
$adminRole = Get-MgDirectoryRole -Filter "DisplayName eq '$RoleName'"

# If the role hasn't been activated, we need to get the role template ID to first activate the role
if ($adminRole -eq $null)
{
    $adminRoleTemplate = Get-MgDirectoryRoleTemplate | where {$_.DisplayName -eq $RoleName}
    $adminRole = New-MgDirectoryRole -RoleTemplateId $adminRoleTemplate.Id
}

# Get all role assignments
Get-MgDirectoryRoleMember -DirectoryRoleId $adminRole.Id
  • Related