As I am implementing many Conditional Access Policies and scope them to specific roles, I want to know which admins will be effected, in advance. But I am too lazy to go through all roles by hand, so I wrote following script:
Connect-MsolService
$RoleAssignments = @()
$Roles = Get-MsolRole
Foreach ($Role in $Roles){
$RoleMembers = Get-MsolRoleMember -RoleObjectID $Role.ObjectId
if ($RoleMembers) {
Foreach ($RoleMember in $RoleMembers) {
$RoleAssignment = "" | Select RoleName,RoleObjectID,MemberDisplayName,MemberObjectID
$RoleAssignment.RoleName = $Role.Name
$RoleAssignment.RoleObjectID = $Role.ObjectId
$RoleAssignment.MemberDisplayName = $RoleMember.DisplayName
$RoleAssignment.MemberObjectID = $RoleMember.ObjectId
$RoleAssignments += $RoleAssignment
}
}
}
$RoleAssignments | Out-GridView
Nothing too fancy, but re-usable. But be aware: Roles “eligable” via PIM “eligable” are not listed here.