Skip to content

New sample script: Check what users assigned to a specific role can do in the tenant #6600

Closed
Closed
New sample script: Check what users assigned to a specific role can do in the tenant#6600
Labels
docswork in progress
Milestone
v10.5
@MartinM85

Description

@MartinM85
MartinM85
opened on Feb 10, 2025
Docs
Author Martin Macháček
Original Post -
Description The script is intended for use by administrators to review role permissions before assigning roles. If the role is inherited, the script includes the role permissions from the base role. In general, the script checks what users assigned to a specific role can do in the tenant
Keywords Microsoft Entra ID Role definition Role permissions RBAC

Example of the output

SharePoint Administrator (f28a1f50-f6e7-4571-818b-6a12f2af6b6c)
Can manage all aspects of the SharePoint service.

General:
 - Read and configure Azure Service Health
 - Create and manage Azure support tickets
 - Create and manage OneDrive protection policy in Microsoft 365 Backup
 - Read and configure restore session for OneDrive in Microsoft 365 Backup
 - Create and delete all resources, and read and update standard properties in SharePoint
...
 - Read basic properties on all resources in the Microsoft 365 admin center

Inherits permissions from

Directory Readers (88d8e3e3-8f55-4a1e-953a-9b9898b8876b)
Can read basic directory information. Commonly used to grant directory read access to applications and guests.

General:
 - Read members of administrative units
 - Read license details of users
 - Read manager of users
 - Read registered devices of users
 - Read user's membership of a Microsoft Entra role, that is scoped to an administrative unit
 - Read sponsors of users
 ...
 - Read basic properties on users

Metadata

Metadata

Assignees

No one assigned

    Labels

    docswork in progress

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions