Admin Roles Report

%3CLINGO-SUB%20id%3D%22lingo-sub-129717%22%20slang%3D%22en-US%22%3EAdmin%20Roles%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129717%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20to%20see%20which%20users%20are%20assigned%20admin%20role%20privileges%20in%20O365%20for%20all%20admin%20role%20attributes....%20Who%20can%20help%20me%20to%20get%20this%20report%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-129717%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130627%22%20slang%3D%22en-US%22%3ERe%3A%20Admin%20Roles%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130627%22%20slang%3D%22en-US%22%3E%3CP%3EI%20pasted%20it%20in%20my%20reply%20above%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130502%22%20slang%3D%22en-US%22%3ERe%3A%20Admin%20Roles%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130502%22%20slang%3D%22en-US%22%3EVasil%2C%3CBR%20%2F%3E%20%3CBR%20%2F%3EAre%20you%20happy%20to%20share%20this%20script%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130003%22%20slang%3D%22en-US%22%3ERe%3A%20Admin%20Roles%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130003%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Leighton%20Brunning%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20interested%20in%20GUI%20tool%20then%20the%20below%20tool%20has%20an%20in-built%20report%20for%20finding%20admin%20role%20privileges.%20(Once%20installed%2C%20navigate%20to%20'%3CEM%3EReports%20%26gt%3B%20Azure%20AD%20%26gt%3B%20Security%20Reports%20%26gt%3B%20Administrative%20Users'%3C%2FEM%3E)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgallery.technet.microsoft.com%2Foffice%2FOffice-365-Reporting-Tool-7987b4c2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgallery.technet.microsoft.com%2Foffice%2FOffice-365-Reporting-Tool-7987b4c2%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20check%20out%20the%20online%20demo%20of%20the%20required%20report%20%3CA%20title%3D%22AdminDroid%20O365%20Reporter%20Demo%22%20href%3D%22http%3A%2F%2Fdemo.admindroid.com%2F%23%2Fazure%2Freports%2F1%2F1%2F20%3FfilterId%3D7%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20(%3CA%20href%3D%22http%3A%2F%2Fdemo.admindroid.com%2F%23%2Fazure%2Fdashboards%2Fsecurity%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDashboard%3C%2FA%3E)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20customize%20the%20report%2C%20apply%20advanced%20filters%2C%20and%20also%20schedule%20the%20report%20sent%20to%20your%20mailbox%20periodically.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F24520i65963A9A51B8A897%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22admindroid_o365_security_dashboard.JPG%22%20title%3D%22admindroid_o365_security_dashboard.JPG%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F24521i1F91A273B86F2A10%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22admindroid_o365_admin_report.JPG%22%20title%3D%22admindroid_o365_admin_report.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129924%22%20slang%3D%22en-US%22%3ERe%3A%20Admin%20Roles%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129924%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20are%20not%20being%20very%20specific%20here%2C%20but%20here's%20one%20of%20the%20snippets%20I%20use%20for%20reporting%20on%20Admin%20role%20assignments%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%24roles%20%3D%20Get-MsolRole%0A%0A%24arrPermissions%20%3D%20%40()%3B%24i%3D0%3B%0Aforeach%20(%24role%20in%20%24roles)%20%7B%0A%20%20%20%20%24members%20%3D%20Get-MsolRoleMember%20-RoleObjectId%20%24role.ObjectId.Guid%0A%20%20%20%20if%20(!%24members)%20%7B%20continue%20%7D%0A%20%20%20%20%0A%20%20%20%20foreach%20(%24member%20in%20%24members)%20%7B%0A%20%20%20%20%24objPermissions%20%3D%20New-Object%20PSObject%0A%20%20%20%20%24i%2B%2B%3BAdd-Member%20-InputObject%20%24objPermissions%20-MemberType%20NoteProperty%20-Name%20%22Number%22%20-Value%20%24i%0A%20%20%20%20Add-Member%20-InputObject%20%24objPermissions%20-MemberType%20NoteProperty%20-Name%20%22Role%22%20-Value%20%24role.Name%0A%20%20%20%20Add-Member%20-InputObject%20%24objPermissions%20-MemberType%20NoteProperty%20-Name%20%22UPN%22%20-Value%20%24member.EmailAddress%0A%20%20%20%20Add-Member%20-InputObject%20%24objPermissions%20-MemberType%20NoteProperty%20-Name%20%22Display%20Name%22%20-Value%20%24member.DisplayName%0A%20%20%20%20Add-Member%20-InputObject%20%24objPermissions%20-MemberType%20NoteProperty%20-Name%20%22Type%22%20-Value%20%24member.RoleMemberType%0A%20%20%20%20Add-Member%20-InputObject%20%24objPermissions%20-MemberType%20NoteProperty%20-Name%20%22isLicensed%22%20-Value%20%24member.isLicensed%0A%20%20%20%20if%20(%24member.RoleMemberType%20-ne%20%22ServicePrincipal%22)%20%7B%0A%20%20%20%20%20%20%20%20Add-Member%20-InputObject%20%24objPermissions%20-MemberType%20NoteProperty%20-Name%20%22isSynced%22%20-Value%20(%26amp%3B%7BIf((Get-MsolUser%20-UserPrincipalName%20%24member.EmailAddress).LastDirsyncTime)%20%7B%22True%22%7D%20Else%20%7B%22False%22%7D%7D)%0A%20%20%20%20%20%20%20%20Add-Member%20-InputObject%20%24objPermissions%20-MemberType%20NoteProperty%20-Name%20%22PasswordNeverExpires%22%20-Value%20(%26amp%3B%7BIf((Get-MsolUser%20-UserPrincipalName%20%24member.EmailAddress).PasswordNeverExpires)%20%7B%22True%22%7D%20Else%20%7B%22False%22%7D%7D)%0A%20%20%20%20%20%20%20%20Add-Member%20-InputObject%20%24objPermissions%20-MemberType%20NoteProperty%20-Name%20%22MFA%20Enabled%22%20-Value%20(%26amp%3B%7BIf((Get-MsolUser%20-UserPrincipalName%20%24member.EmailAddress).StrongAuthenticationRequirements.State)%20%7B%22True%22%7D%20Else%20%7B%22False%22%7D%7D)%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%24arrPermissions%20%2B%3D%20%24objPermissions%20%0A%20%20%20%20%7D%0A%7D%0A%0A%24arrPermissions%20%23%7C%20Export-Csv%20-Path%20%22%24((Get-Date).ToString('yyyy-MM-dd_HH-mm-ss'))_AdminPermissions.csv%22%20-NoTypeInformation%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129723%22%20slang%3D%22en-US%22%3ERe%3A%20Admin%20Roles%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129723%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20does%20your%20current%20script%20look%20like%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

I want to see which users are assigned admin role privileges in O365 for all admin role attributes.... Who can help me to get this report? 

 

 

5 Replies
Highlighted

What does your current script look like?

Highlighted

You are not being very specific here, but here's one of the snippets I use for reporting on Admin role assignments:

 

$roles = Get-MsolRole

$arrPermissions = @();$i=0;
foreach ($role in $roles) {
    $members = Get-MsolRoleMember -RoleObjectId $role.ObjectId.Guid
    if (!$members) { continue }
    
    foreach ($member in $members) {
    $objPermissions = New-Object PSObject
    $i++;Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Number" -Value $i
    Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Role" -Value $role.Name
    Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "UPN" -Value $member.EmailAddress
    Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Display Name" -Value $member.DisplayName
    Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Type" -Value $member.RoleMemberType
    Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "isLicensed" -Value $member.isLicensed
    if ($member.RoleMemberType -ne "ServicePrincipal") {
        Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "isSynced" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).LastDirsyncTime) {"True"} Else {"False"}})
        Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "PasswordNeverExpires" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).PasswordNeverExpires) {"True"} Else {"False"}})
        Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "MFA Enabled" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).StrongAuthenticationRequirements.State) {"True"} Else {"False"}})
        }
    $arrPermissions += $objPermissions 
    }
}

$arrPermissions #| Export-Csv -Path "$((Get-Date).ToString('yyyy-MM-dd_HH-mm-ss'))_AdminPermissions.csv" -NoTypeInformation
Highlighted

Hello Leighton Brunning,

 

If you are interested in GUI tool then the below tool has an in-built report for finding admin role privileges. (Once installed, navigate to 'Reports > Azure AD > Security Reports > Administrative Users')

 

https://gallery.technet.microsoft.com/office/Office-365-Reporting-Tool-7987b4c2

 

You can check out the online demo of the required report here. (Dashboard)

 

You can customize the report, apply advanced filters, and also schedule the report sent to your mailbox periodically. 

 

admindroid_o365_security_dashboard.JPGadmindroid_o365_admin_report.JPG

 

Highlighted
Vasil,

Are you happy to share this script?
Highlighted

I pasted it in my reply above?