Forum Discussion
Azure AD Privileged Access Report
That's because you can have more than just users added to a role. For example, the Directory Readers role has a bunch of service principals added:
ObjectId AppId DisplayName
-------- ----- -----------
dfb28e5c-6610-4d33-80cf-c518093bef57 00000009-0000-0000-c000-000000000000 Power BI Service
679ef712-91d0-4f2e-88fd-e2e9c020981d 00000005-0000-0ff1-ce00-000000000000 Office 365 Yammer
b15569dc-e194-40af-8d62-1c166202bfa2 0000001a-0000-0000-c000-000000000000 MicrosoftAzureActiveAuthn
5b8f1dd7-a9a3-4cf2-ba83-a9c926bf94cd 9dd50c8b-0eb9-47e9-af9e-80d200b11505 Reporting API Application
7368ee1a-8de3-4227-ad6a-7434e2e96b26 01fc33a7-78ba-4d2f-a4b7-768e336e890e MS-PIM
9f6f56b8-fd21-4540-b5e0-8ba3fbc41c11 00000014-0000-0000-c000-000000000000 Microsoft.Azure.SyncFabric
f842c430-48bb-44d7-a67a-c0f60ce7d5f4 522a0693-81d3-4874-aba4-db7f33d105fb Office 365 Reports
Running Get-AzureADUser against those will of course fail, so add a check there.
VasilMichev Thank you for the reply.
That still does not answer why I am getting an invalid list for the Company Administrator role. I know there is one security principle there and two User accounts. But when I run the script, it returns six user accounts.
As I cannot see the output, I cannot tell you why. But the error message you are getting hints for the same - you are trying to runt he Get-AzureADUser cmdlet against an object that is not an user, as simple as that.
Thank you for that reply. On the output, it is giving a list of people for Company Administrator that are not assigned to that role. I only have two people in the role but when I run the script it places six people having been assigned that role.
