Azure AD Privileged Access Report

Iron Contributor

I am currently trying to write an ad hoc report to report on privileged access membership. When I run the report, the Company Administrator reports incorrectly. But when I try to run the report on just the ObjectID I get an error when it tries to pull the names.


The account running these command/script is a Global Admin.


This is for the single run:

Get-AzureADDirectoryRoleMember -ObjectId <ObjectID> | Get-AzureADUser


Get-AzureADUser : Error occurred while executing GetUser
Code: Request_ResourceNotFound
Message: Resource '<ObjectID>' does not exist or one of its queried reference-property
objects are not present.
RequestId: <UserObjectID>
DateTimeStamp: Tue, 10 Mar 2020 20:06:51 GMT
HttpStatusCode: NotFound
HttpStatusDescription: Not Found
HttpResponseStatus: Completed
At line:1 char:81
+ ... mber -ObjectId <ObjectID> | Get-AzureADUser
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureADUser], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetUser


This is the script:


$roles = Get-AzureADDirectoryRole | Sort -Property DisplayName
foreach ($role in $roles) {
     $role.DisplayName | Out-File $file -Append
     $Members = Get-AzureADDirectoryRoleMember -ObjectId $role.objectID | Get-AzureADUser
     foreach ($member in $Members) {
          $member.UserPrincipalName | Out-File $file -Append

4 Replies

That's because you can have more than just users added to a role. For example, the Directory Readers role has a bunch of service principals added:


ObjectId                             AppId                                DisplayName
--------                             -----                                -----------
dfb28e5c-6610-4d33-80cf-c518093bef57 00000009-0000-0000-c000-000000000000 Power BI Service
679ef712-91d0-4f2e-88fd-e2e9c020981d 00000005-0000-0ff1-ce00-000000000000 Office 365 Yammer
b15569dc-e194-40af-8d62-1c166202bfa2 0000001a-0000-0000-c000-000000000000 MicrosoftAzureActiveAuthn
5b8f1dd7-a9a3-4cf2-ba83-a9c926bf94cd 9dd50c8b-0eb9-47e9-af9e-80d200b11505 Reporting API Application
7368ee1a-8de3-4227-ad6a-7434e2e96b26 01fc33a7-78ba-4d2f-a4b7-768e336e890e MS-PIM
9f6f56b8-fd21-4540-b5e0-8ba3fbc41c11 00000014-0000-0000-c000-000000000000 Microsoft.Azure.SyncFabric
f842c430-48bb-44d7-a67a-c0f60ce7d5f4 522a0693-81d3-4874-aba4-db7f33d105fb Office 365 Reports


Running Get-AzureADUser against those will of course fail, so add a check there.

@Vasil Michev  Thank you for the reply.


That still does not answer why I am getting an invalid list for the Company Administrator role. I know there is one security principle there and two User accounts. But when I run the script, it returns six user accounts.

As I cannot see the output, I cannot tell you why. But the error message you are getting hints for the same - you are trying to runt he Get-AzureADUser cmdlet against an object that is not an user, as simple as that.

@Vasil Michev 


Thank you for that reply. On the output, it is giving a list of people for Company Administrator that are not assigned to that role. I only have two people in the role but when I run the script it places six people having been assigned that role.