Azure AD Privileged Access Report

%3CLINGO-SUB%20id%3D%22lingo-sub-1221627%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Privileged%20Access%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1221627%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20because%20you%20can%20have%20more%20than%20just%20users%20added%20to%20a%20role.%20For%20example%2C%20the%20Directory%20Readers%20role%20has%20a%20bunch%20of%20service%20principals%20added%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EObjectId%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20AppId%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20DisplayName%0A--------%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20-----%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20-----------%0Adfb28e5c-6610-4d33-80cf-c518093bef57%2000000009-0000-0000-c000-000000000000%20Power%20BI%20Service%0A679ef712-91d0-4f2e-88fd-e2e9c020981d%2000000005-0000-0ff1-ce00-000000000000%20Office%20365%20Yammer%0Ab15569dc-e194-40af-8d62-1c166202bfa2%200000001a-0000-0000-c000-000000000000%20MicrosoftAzureActiveAuthn%0A5b8f1dd7-a9a3-4cf2-ba83-a9c926bf94cd%209dd50c8b-0eb9-47e9-af9e-80d200b11505%20Reporting%20API%20Application%0A7368ee1a-8de3-4227-ad6a-7434e2e96b26%2001fc33a7-78ba-4d2f-a4b7-768e336e890e%20MS-PIM%0A9f6f56b8-fd21-4540-b5e0-8ba3fbc41c11%2000000014-0000-0000-c000-000000000000%20Microsoft.Azure.SyncFabric%0Af842c430-48bb-44d7-a67a-c0f60ce7d5f4%20522a0693-81d3-4874-aba4-db7f33d105fb%20Office%20365%20Reports%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERunning%20Get-AzureADUser%20against%20those%20will%20of%20course%20fail%2C%20so%20add%20a%20check%20there.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1221968%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Privileged%20Access%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1221968%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%20Thank%20you%20for%20the%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20still%20does%20not%20answer%20why%20I%20am%20getting%20an%20invalid%20list%20for%20the%20Company%20Administrator%20role.%20I%20know%20there%20is%20one%20security%20principle%20there%20and%20two%20User%20accounts.%20But%20when%20I%20run%20the%20script%2C%20it%20returns%20six%20user%20accounts.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1222938%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Privileged%20Access%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1222938%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20I%20cannot%20see%20the%20output%2C%20I%20cannot%20tell%20you%20why.%20But%20the%20error%20message%20you%20are%20getting%20hints%20for%20the%20same%20-%20you%20are%20trying%20to%20runt%20he%20Get-AzureADUser%20cmdlet%20against%20an%20object%20that%20is%20not%20an%20user%2C%20as%20simple%20as%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1224449%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Privileged%20Access%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1224449%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20that%20reply.%20On%20the%20output%2C%20it%20is%20giving%20a%20list%20of%20people%20for%20Company%20Administrator%20that%20are%20not%20assigned%20to%20that%20role.%20I%20only%20have%20two%20people%20in%20the%20role%20but%20when%20I%20run%20the%20script%20it%20places%20six%20people%20having%20been%20assigned%20that%20role.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1220902%22%20slang%3D%22en-US%22%3EAzure%20AD%20Privileged%20Access%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1220902%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20currently%20trying%20to%20write%20an%20ad%20hoc%20report%20to%20report%20on%20privileged%20access%20membership.%20When%20I%20run%20the%20report%2C%20the%20Company%20Administrator%20reports%20incorrectly.%20But%20when%20I%20try%20to%20run%20the%20report%20on%20just%20the%20ObjectID%20I%20get%20an%20error%20when%20it%20tries%20to%20pull%20the%20names.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20account%20running%20these%20command%2Fscript%20is%20a%20Global%20Admin.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20for%20the%20single%20run%3A%3C%2FP%3E%3CP%3EGet-AzureADDirectoryRoleMember%20-ObjectId%20%3COBJECTID%3E%20%7C%20Get-AzureADUser%3C%2FOBJECTID%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGet-AzureADUser%20%3A%20Error%20occurred%20while%20executing%20GetUser%3CBR%20%2F%3ECode%3A%20Request_ResourceNotFound%3CBR%20%2F%3EMessage%3A%20Resource%20'%3COBJECTID%3E'%20does%20not%20exist%20or%20one%20of%20its%20queried%20reference-property%3CBR%20%2F%3Eobjects%20are%20not%20present.%3CBR%20%2F%3ERequestId%3A%20%3CUSEROBJECTID%3E%3CBR%20%2F%3EDateTimeStamp%3A%20Tue%2C%2010%20Mar%202020%2020%3A06%3A51%20GMT%3CBR%20%2F%3EHttpStatusCode%3A%20NotFound%3CBR%20%2F%3EHttpStatusDescription%3A%20Not%20Found%3CBR%20%2F%3EHttpResponseStatus%3A%20Completed%3CBR%20%2F%3EAt%20line%3A1%20char%3A81%3CBR%20%2F%3E%2B%20...%20mber%20-ObjectId%20%3COBJECTID%3E%20%7C%20Get-AzureADUser%3CBR%20%2F%3E%2B%20~~~~~~~~~~~~~~~%3CBR%20%2F%3E%2B%20CategoryInfo%20%3A%20NotSpecified%3A%20(%3A)%20%5BGet-AzureADUser%5D%2C%20ApiException%3CBR%20%2F%3E%2B%20FullyQualifiedErrorId%20%3A%20Microsoft.Open.AzureAD16.Client.ApiException%2CMicrosoft.Open.AzureAD16.PowerShell.GetUser%3C%2FOBJECTID%3E%3C%2FUSEROBJECTID%3E%3C%2FOBJECTID%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20the%20script%3A%3C%2FP%3E%3CP%3EConnect-AzureAD%3C%2FP%3E%3CP%3E%24roles%20%3D%20Get-AzureADDirectoryRole%20%7C%20Sort%20-Property%20DisplayName%3CBR%20%2F%3Eforeach%20(%24role%20in%20%24roles)%20%7B%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%24role.DisplayName%20%7C%20Out-File%20%24file%20-Append%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%24Members%20%3D%20Get-AzureADDirectoryRoleMember%20-ObjectId%20%24role.objectID%20%7C%20Get-AzureADUser%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3Bforeach%20(%24member%20in%20%24Members)%20%7B%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%24member.UserPrincipalName%20%7C%20Out-File%20%24file%20-Append%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1220902%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

I am currently trying to write an ad hoc report to report on privileged access membership. When I run the report, the Company Administrator reports incorrectly. But when I try to run the report on just the ObjectID I get an error when it tries to pull the names.

 

The account running these command/script is a Global Admin.

 

This is for the single run:

Get-AzureADDirectoryRoleMember -ObjectId <ObjectID> | Get-AzureADUser

 

Get-AzureADUser : Error occurred while executing GetUser
Code: Request_ResourceNotFound
Message: Resource '<ObjectID>' does not exist or one of its queried reference-property
objects are not present.
RequestId: <UserObjectID>
DateTimeStamp: Tue, 10 Mar 2020 20:06:51 GMT
HttpStatusCode: NotFound
HttpStatusDescription: Not Found
HttpResponseStatus: Completed
At line:1 char:81
+ ... mber -ObjectId <ObjectID> | Get-AzureADUser
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureADUser], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetUser

 

This is the script:

Connect-AzureAD

$roles = Get-AzureADDirectoryRole | Sort -Property DisplayName
foreach ($role in $roles) {
     $role.DisplayName | Out-File $file -Append
     $Members = Get-AzureADDirectoryRoleMember -ObjectId $role.objectID | Get-AzureADUser
     foreach ($member in $Members) {
          $member.UserPrincipalName | Out-File $file -Append
     }
}

4 Replies

That's because you can have more than just users added to a role. For example, the Directory Readers role has a bunch of service principals added:

 

ObjectId                             AppId                                DisplayName
--------                             -----                                -----------
dfb28e5c-6610-4d33-80cf-c518093bef57 00000009-0000-0000-c000-000000000000 Power BI Service
679ef712-91d0-4f2e-88fd-e2e9c020981d 00000005-0000-0ff1-ce00-000000000000 Office 365 Yammer
b15569dc-e194-40af-8d62-1c166202bfa2 0000001a-0000-0000-c000-000000000000 MicrosoftAzureActiveAuthn
5b8f1dd7-a9a3-4cf2-ba83-a9c926bf94cd 9dd50c8b-0eb9-47e9-af9e-80d200b11505 Reporting API Application
7368ee1a-8de3-4227-ad6a-7434e2e96b26 01fc33a7-78ba-4d2f-a4b7-768e336e890e MS-PIM
9f6f56b8-fd21-4540-b5e0-8ba3fbc41c11 00000014-0000-0000-c000-000000000000 Microsoft.Azure.SyncFabric
f842c430-48bb-44d7-a67a-c0f60ce7d5f4 522a0693-81d3-4874-aba4-db7f33d105fb Office 365 Reports

 

Running Get-AzureADUser against those will of course fail, so add a check there.

@Vasil Michev  Thank you for the reply.

 

That still does not answer why I am getting an invalid list for the Company Administrator role. I know there is one security principle there and two User accounts. But when I run the script, it returns six user accounts.

As I cannot see the output, I cannot tell you why. But the error message you are getting hints for the same - you are trying to runt he Get-AzureADUser cmdlet against an object that is not an user, as simple as that.

@Vasil Michev 

 

Thank you for that reply. On the output, it is giving a list of people for Company Administrator that are not assigned to that role. I only have two people in the role but when I run the script it places six people having been assigned that role.