Office 365 (Azure AD) administrative permissions inventory report

Here’s a small script that generates a report of all users that have been assigned *any* administrative role in your Office 365 tenant. Or to be more precise, the roles within Azure AD. With the workload-specific admin roles feature finally rolling out to all O365 customers, now might be a good time to examine all those Global Admin entries and decide whether the corresponding user still needs them, or can use a more restrictive role.

The script itself is pretty basic, it goes over each admin role, gets its members and collects some info about them. I’ve added few additional custom fields, which will show you whether the user is being synchronized from your local AD, whether Strong authentication (MFA) is enabled and whether his password is set to never expire. The list can of course be expanded if needed.

$roles = Get-MsolRole

$arrPermissions = @();$i=0;

foreach ($role in $roles) {

$members = Get-MsolRoleMember -RoleObjectId $role.ObjectId.Guid

if (!$members) { continue }

foreach ($member in $members) {

$objPermissions = New-Object PSObject

$i++;Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Number" -Value $i

Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Role" -Value $role.Name

Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "UPN" -Value $member.EmailAddress

Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Display Name" -Value $member.DisplayName

Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Type" -Value $member.RoleMemberType

Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "isLicensed" -Value $member.isLicensed

if ($member.RoleMemberType -ne "ServicePrincipal") {

Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "isSynced" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).LastDirsyncTime) {"True"} Else {"False"}})

Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "PasswordNeverExpires" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).PasswordNeverExpires) {"True"} Else {"False"}})

Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "MFA Enabled" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).StrongAuthenticationRequirements.State) {"True"} Else {"False"}})


$arrPermissions += $objPermissions



$arrPermissions #| Export-Csv -Path "C:\Users\Vasil\Desktop\O365\$((Get-Date).ToString('yyyy-MM-dd_HH-mm-ss'))_AdminPermissions.csv" -NoTypeInformation

To export the report to a CSV file, simply remove the comment from the last line.

This entry was posted in Office 365, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *