Forum Discussion

Shaun Jennings's avatar
Shaun Jennings
Iron Contributor
Mar 10, 2020

Azure AD Privileged Access Report

I am currently trying to write an ad hoc report to report on privileged access membership. When I run the report, the Company Administrator reports incorrectly. But when I try to run the report on just the ObjectID I get an error when it tries to pull the names.

 

The account running these command/script is a Global Admin.

 

This is for the single run:

Get-AzureADDirectoryRoleMember -ObjectId <ObjectID> | Get-AzureADUser

 

Get-AzureADUser : Error occurred while executing GetUser
Code: Request_ResourceNotFound
Message: Resource '<ObjectID>' does not exist or one of its queried reference-property
objects are not present.
RequestId: <UserObjectID>
DateTimeStamp: Tue, 10 Mar 2020 20:06:51 GMT
HttpStatusCode: NotFound
HttpStatusDescription: Not Found
HttpResponseStatus: Completed
At line:1 char:81
+ ... mber -ObjectId <ObjectID> | Get-AzureADUser
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureADUser], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetUser

 

This is the script:

Connect-AzureAD

$roles = Get-AzureADDirectoryRole | Sort -Property DisplayName
foreach ($role in $roles) {
     $role.DisplayName | Out-File $file -Append
     $Members = Get-AzureADDirectoryRoleMember -ObjectId $role.objectID | Get-AzureADUser
     foreach ($member in $Members) {
          $member.UserPrincipalName | Out-File $file -Append
     }
}

  • That's because you can have more than just users added to a role. For example, the Directory Readers role has a bunch of service principals added:

     

    ObjectId                             AppId                                DisplayName
    --------                             -----                                -----------
    dfb28e5c-6610-4d33-80cf-c518093bef57 00000009-0000-0000-c000-000000000000 Power BI Service
    679ef712-91d0-4f2e-88fd-e2e9c020981d 00000005-0000-0ff1-ce00-000000000000 Office 365 Yammer
    b15569dc-e194-40af-8d62-1c166202bfa2 0000001a-0000-0000-c000-000000000000 MicrosoftAzureActiveAuthn
    5b8f1dd7-a9a3-4cf2-ba83-a9c926bf94cd 9dd50c8b-0eb9-47e9-af9e-80d200b11505 Reporting API Application
    7368ee1a-8de3-4227-ad6a-7434e2e96b26 01fc33a7-78ba-4d2f-a4b7-768e336e890e MS-PIM
    9f6f56b8-fd21-4540-b5e0-8ba3fbc41c11 00000014-0000-0000-c000-000000000000 Microsoft.Azure.SyncFabric
    f842c430-48bb-44d7-a67a-c0f60ce7d5f4 522a0693-81d3-4874-aba4-db7f33d105fb Office 365 Reports

     

    Running Get-AzureADUser against those will of course fail, so add a check there.

    • Shaun Jennings's avatar
      Shaun Jennings
      Iron Contributor

      VasilMichev  Thank you for the reply.

       

      That still does not answer why I am getting an invalid list for the Company Administrator role. I know there is one security principle there and two User accounts. But when I run the script, it returns six user accounts.

      • VasilMichev's avatar
        VasilMichev
        MVP

        As I cannot see the output, I cannot tell you why. But the error message you are getting hints for the same - you are trying to runt he Get-AzureADUser cmdlet against an object that is not an user, as simple as that.

Resources