top of page
This site was designed with the
.com
website builder. Create your website today.Start Now
Search
  • Writer's pictureAbhijit Tiwari
    • May 29, 2017
    • 2 min read

Powershell Script to fetch List of Administrator and Service Principals on Azure Active Directory/ O


Well I got a request from one of my customer who had an Office 365 subscription with more that 20000 users and wanted to know the list of administrators who were managing the Azure AD. Well, as usual the issue was that getting the list from the UI was an option that needed scrolling of multiple pages. Hence, I was told to craft a script for him which would give him all the information he needed. Surprisingly, my script also revealed information about service principals registered with the tenant that had the Directory Reader's permission which helped me understand how an Office 365 tenant is kept isolated from various services. I shall discuss this in details in my next blog post.

For now , if you want to get the list of administrators in your Azure AD and Office 365 subscription use the following script:-

function Save-File([string] $initialDirectory )

{

[System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms") | Out-Null

$OpenFileDialog = New-Object System.Windows.Forms.SaveFileDialog

$OpenFileDialog.initialDirectory = $initialDirectory

$OpenFileDialog.filter = "CSV (*.csv)| *.csv"

$OpenFileDialog.ShowDialog() | Out-Null

return $OpenFileDialog.filename

}

Import-Module MSOnline;

Connect-MsolService;

$membership=Get-MsolRole |

select ObjectID,Name -OutVariable Group |

ForEach-Object {$grp=$_.Name;$GType=$_.ObjectID;Get-MsolRoleMember -RoleObjectId $_.ObjectID |

select EmailAddress,DisplayName,RoleMemberType,@{Name="AdminType";Expression={$grp} },@{Name="GroupObjectID";Expression={$GType} }};

$membership;

$File=Save-File

$membership|Export-Csv -Path $File -NoTypeInformation;

This shall give you the output as show in the illustration below:-

You shall be prompted to save this output in csv format at the end of execution of the code above.

Note:-Since, my blogging platform is not allowing me to use the code tag the formatting of the code might be lost while you copy it in clipboard. In case you are not able to run the script, you can download it from the link below:-

Depending upon the number of service principals and administrators the script might take some time to execute

You shall be able to get list of the following RBAC roles:-

  • Helpdesk Administrator

  • Service Support Administrator

  • Billing Administrator

  • Mailbox Administrator

  • Partner Tier1 Support

  • Partner Tier2 Support

  • Directory Readers

  • Exchange Service Administrator

  • Lync Service Administrator

  • User Account Administrator

  • Directory Writers

  • Company Administrator

  • Email Verified User Creator

  • AdHoc License Administrator

  • SharePoint Service Administrator

  • Device Users

  • Device Administrators

  • Device Join

  • Workplace Device Join

  • Compliance Administrator

  • Directory Synchronization Accounts

  • Device Managers

  • Application Administrator

  • Application Developer

  • Security Reader

  • Security Administrator

  • Privileged Role Administrator

  • Intune Service Administrator

  • Cloud Application Administrator

  • Customer LockBox Access Approver

  • CRM Service Administrator

  • Power BI Service Administrator

  • Guest Inviter

  • Conditional Access Administrator

918 views0 comments
bottom of page