Forum Discussion
Azure AD Privileged Access Report
I am currently trying to write an ad hoc report to report on privileged access membership. When I run the report, the Company Administrator reports incorrectly. But when I try to run the report on just the ObjectID I get an error when it tries to pull the names.
The account running these command/script is a Global Admin.
This is for the single run:
Get-AzureADDirectoryRoleMember -ObjectId <ObjectID> | Get-AzureADUser
Get-AzureADUser : Error occurred while executing GetUser
Code: Request_ResourceNotFound
Message: Resource '<ObjectID>' does not exist or one of its queried reference-property
objects are not present.
RequestId: <UserObjectID>
DateTimeStamp: Tue, 10 Mar 2020 20:06:51 GMT
HttpStatusCode: NotFound
HttpStatusDescription: Not Found
HttpResponseStatus: Completed
At line:1 char:81
+ ... mber -ObjectId <ObjectID> | Get-AzureADUser
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureADUser], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetUser
This is the script:
Connect-AzureAD
$roles = Get-AzureADDirectoryRole | Sort -Property DisplayName
foreach ($role in $roles) {
$role.DisplayName | Out-File $file -Append
$Members = Get-AzureADDirectoryRoleMember -ObjectId $role.objectID | Get-AzureADUser
foreach ($member in $Members) {
$member.UserPrincipalName | Out-File $file -Append
}
}
That's because you can have more than just users added to a role. For example, the Directory Readers role has a bunch of service principals added:
ObjectId AppId DisplayName -------- ----- ----------- dfb28e5c-6610-4d33-80cf-c518093bef57 00000009-0000-0000-c000-000000000000 Power BI Service 679ef712-91d0-4f2e-88fd-e2e9c020981d 00000005-0000-0ff1-ce00-000000000000 Office 365 Yammer b15569dc-e194-40af-8d62-1c166202bfa2 0000001a-0000-0000-c000-000000000000 MicrosoftAzureActiveAuthn 5b8f1dd7-a9a3-4cf2-ba83-a9c926bf94cd 9dd50c8b-0eb9-47e9-af9e-80d200b11505 Reporting API Application 7368ee1a-8de3-4227-ad6a-7434e2e96b26 01fc33a7-78ba-4d2f-a4b7-768e336e890e MS-PIM 9f6f56b8-fd21-4540-b5e0-8ba3fbc41c11 00000014-0000-0000-c000-000000000000 Microsoft.Azure.SyncFabric f842c430-48bb-44d7-a67a-c0f60ce7d5f4 522a0693-81d3-4874-aba4-db7f33d105fb Office 365 Reports
Running Get-AzureADUser against those will of course fail, so add a check there.
- Shaun JenningsIron Contributor
VasilMichev Thank you for the reply.
That still does not answer why I am getting an invalid list for the Company Administrator role. I know there is one security principle there and two User accounts. But when I run the script, it returns six user accounts.
As I cannot see the output, I cannot tell you why. But the error message you are getting hints for the same - you are trying to runt he Get-AzureADUser cmdlet against an object that is not an user, as simple as that.