Hey everyone! I'm on a mission to migrate all my scripts from MS Online to MS Graph but I'm hitting a snag. I'm looking for a way to retrieve a user's Entra roles similar to the function Get-MsolUserRoles. The closest I've found is Get-MgBetaRoleManagementDirectoryTransitiveRoleAssignment, but that seems limited as it only allows filtering with a string, and I'd prefer to use a variable for the user's ID instead. Is there a more straightforward function that can help me get these roles based on a variable rather than a hard-coded string? Thanks in advance!
2 Answers
For retrieving members from a group, you can check out this [endpoint](https://learn.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0&tabs=http). Another option is to get groups from a user using [this](https://learn.microsoft.com/en-us/graph/api/directoryobject-getmembergroups?view=graph-rest-1.0&tabs=http). But since you specifically want roles, look into getting roles using links like [this one](https://learn.microsoft.com/en-us/graph/api/directoryrole-list-members?view=graph-rest-1.0&tabs=http) and [this one](https://learn.microsoft.com/en-us/graph/api/user-list-approleassignments?view=graph-rest-1.0&tabs=http).
Thanks for the suggestion! But just to clarify, doesn’t that just give the groups a user belongs to? I tested it with an admin account who has 1 role in 2 groups, and it returned those 2 groups instead.
You can try using the `Get-MgBetaUserTransitiveMemberOf` cmdlet. Just filter the results by #microsoft.graph.directoryRole. There's also a nice script available [here](https://o365reports.com/2021/03/02/export-office-365-admin-role-report-powershell/) that might be useful!
Just a heads up, I’d steer clear of anything in beta when working with Microsoft tools. They can be a bit... unpredictable! *wink*
I would be careful with that. The limitations are pretty big, especially since you need both the user and roleId or roleTemplateId to filter. If you aren't dealing with PIM Eligible roles, check out this alternative: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/get-mgrolemanagementdirectoryroleassignment?view=graph-powershell-1.0.