Here’s a small script that generates a report of all users that have been assigned *any* administrative role in your Office 365 tenant. Or to be more precise, the roles within Azure AD. With the workload-specific admin roles feature finally rolling out to all O365 customers, now might be a good time to examine all those Global Admin entries and decide whether the corresponding user still needs them, or can use a more restrictive role.
The script itself is pretty basic, it goes over each admin role, gets its members and collects some info about them. I’ve added few additional custom fields, which will show you whether the user is being synchronized from your local AD, whether Strong authentication (MFA) is enabled and whether his password is set to never expire. The list can of course be expanded if needed.
$roles = Get-MsolRole $arrPermissions = @();$i=0; foreach ($role in $roles) { $members = Get-MsolRoleMember -RoleObjectId $role.ObjectId.Guid if (!$members) { continue } foreach ($member in $members) { $objPermissions = New-Object PSObject $i++;Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Number" -Value $i Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Role" -Value $role.Name Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "UPN" -Value $member.EmailAddress Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Display Name" -Value $member.DisplayName Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Type" -Value $member.RoleMemberType Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "isLicensed" -Value $member.isLicensed if ($member.RoleMemberType -ne "ServicePrincipal") { Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "isSynced" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).LastDirsyncTime) {"True"} Else {"False"}}) Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "PasswordNeverExpires" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).PasswordNeverExpires) {"True"} Else {"False"}}) Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "MFA Enabled" -Value (&{If((Get-MsolUser -UserPrincipalName $member.EmailAddress).StrongAuthenticationRequirements.State) {"True"} Else {"False"}}) } $arrPermissions += $objPermissions } } $arrPermissions #| Export-Csv -Path "C:\Users\Vasil\Desktop\O365\$((Get-Date).ToString('yyyy-MM-dd_HH-mm-ss'))_AdminPermissions.csv" -NoTypeInformation
To export the report to a CSV file, simply remove the comment from the last line.
I cant export the content to the CSV file, pls help.
Pls let me what comment to be removed.
Remove the # char on the last line…