Nov 20 2017 07:12 AM
Nov 20 2017 07:12 AM
I want to see which users are assigned admin role privileges in O365 for all admin role attributes.... Who can help me to get this report?
Nov 20 2017 01:30 PM
You are not being very specific here, but here's one of the snippets I use for reporting on Admin role assignments:
$roles = Get-MsolRole $arrPermissions = @();$i=0; foreach ($role in $roles) { $members = Get-MsolRoleMember -RoleObjectId $role.ObjectId.Guid if (!$members) { continue } foreach ($member in $members) { $objPermissions = New-Object PSObject $i++;Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Number" -Value $i Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Role" -Value $role.Name Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "UPN" -Value $member.EmailAddress Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Display Name" -Value $member.DisplayName Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Type" -Value $member.RoleMemberType Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "isLicensed" -Value $member.isLicensed if ($member.RoleMemberType -ne "ServicePrincipal") { Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "isSynced" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).LastDirsyncTime) {"True"} Else {"False"}}) Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "PasswordNeverExpires" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).PasswordNeverExpires) {"True"} Else {"False"}}) Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "MFA Enabled" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).StrongAuthenticationRequirements.State) {"True"} Else {"False"}}) } $arrPermissions += $objPermissions } } $arrPermissions #| Export-Csv -Path "$((Get-Date).ToString('yyyy-MM-dd_HH-mm-ss'))_AdminPermissions.csv" -NoTypeInformation
Nov 20 2017 07:28 PM
Hello Leighton Brunning,
If you are interested in GUI tool then the below tool has an in-built report for finding admin role privileges. (Once installed, navigate to 'Reports > Azure AD > Security Reports > Administrative Users')
https://gallery.technet.microsoft.com/office/Office-365-Reporting-Tool-7987b4c2
You can check out the online demo of the required report here. (Dashboard)
You can customize the report, apply advanced filters, and also schedule the report sent to your mailbox periodically.