Random Musings

Sporadic thoughts on tech, economics, business, finance and trading

How to check all Privileged Identity Management (PIM) roles assigned to a user in Azure AD

, ,

To check all Privileged Identity Management (PIM) roles assigned to a user in Azure AD, follow these steps:

Method 1: Using the Azure Portal

  1. Sign in to the Azure Portal:
  2. Navigate to Azure AD Privileged Identity Management (PIM):
    • Search for Privileged Identity Management in the search bar.
    • Select Azure AD roles under PIM.
  3. Search for the User:
    • In the Azure AD roles section, click Users on the left-hand menu.
    • Use the search bar to find the user whose roles you want to review.
  4. View Assigned Roles:
    • Select the user to see a list of roles they are assigned to under PIM.
    • This will show all active and eligible roles for the user.
  5. Export the Role Assignment (Optional):
    • Click the Export button if you want to save the list of roles for documentation purposes.

Method 2: Using Azure AD PowerShell

  1. Install the Azure AD PowerShell Module (if not already installed): Install-Module -Name AzureAD
  2. Sign in to Azure AD: Connect-AzAccount
  3. Run the Following Command to List All Roles for a Specific User: Replace <UserPrincipalName> with the user’s email or username: Get-AzureADDirectoryRole | ForEach-Object { Get-AzureADDirectoryRoleMember -ObjectId $_.ObjectId | Where-Object { $_.UserPrincipalName -eq "<UserPrincipalName>" } }
  4. Analyze the Output: This will return a list of roles the user is assigned to, including PIM roles.

Method 3: Using Microsoft Graph API

  1. Access Microsoft Graph Explorer:
  2. Run the API Query: Use the following query to list all roles assigned to a specific user: GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=principalId eq '<UserObjectId>'
    • Replace <UserObjectId> with the user’s Azure AD object ID.
  3. View the Results:
    • The output will list all roles assigned to the user, including the scope and type (eligible or active).

Method 4: Using Azure CLI

  1. Sign in to Azure: az login
  2. Run the Following Command: Replace <UserPrincipalName> with the user’s email or username: az role assignment list --assignee <UserPrincipalName>
  3. Analyze the Output:
    • The output includes all roles, including those assigned via PIM.

If you are unable to see the roles, ensure you have sufficient permissions (such as Global Administrator, Privileged Role Administrator, or Reports Reader) to access PIM role assignments.