Can PS query Portal permissions ?

Copper Contributor



The process of determining what permissions an individual end user has on cloud portals manually is too time consuming.


Ideally id like to get a report of a users permissions set within e.g. Intune, Exchange online, Purview.

Not Roles now but individual permissions set within the Portal itself.


I can then compare two users against each other etc.   


I've Installed MS Graph but searching the net cant see anything that shows this can be done.


Do we know if this is possible ?




2 Replies

Hi @Synthetic_Sentience,

It is possible to use PowerShell and the Microsoft Graph API to query and retrieve permissions for users in Microsoft 365 portals (Intune, Exchange Online,...)

To do this, you can try use the Invoke-RestMethod cmdlet to make API requests to the Microsoft Graph API. For example, to get the permissions for a specific user in Intune, you could use the following:



# Define the user's UPN (User Principal Name)
$upn = "email address removed for privacy reasons"

# Set the required API endpoint and version
$apiEndpoint = ""
$apiUrl = "$apiEndpoint/users/{0}/appRoleAssignments" -f $upn

# Make the API request to get the permissions for the user
$accessToken = "<Access Token>" # Replace with your valid access token
$headers = @{
    "Authorization" = "Bearer $accessToken"
$response = Invoke-RestMethod -Uri $apiUrl -Headers $headers

# Display the permissions for the user
$response.value | Select-Object -Property appRoleId, appRoleDefinitionId, principalDisplayName, principalId



The script queries the Microsoft Graph API by making a GET request to the /users/{userPrincipalName}/appRoleAssignments endpoint, which retrieves the app role assignments (permissions) for the specified user


Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.

If the post was useful in other ways, please consider giving it Like.

Kindest regards,

Leon Pavesic

Thanks Leon

Where would I get the "Access Token" required ?

Guessing from the Graph API Azure app using the GUI