Well I got a request from one of my customer who had an Office 365 subscription with more that 20000 users and wanted to know the list of administrators who were managing the Azure AD. Well, as usual the issue was that getting the list from the UI was an option that needed scrolling of multiple pages. Hence, I was told to craft a script for him which would give him all the information he needed. Surprisingly, my script also revealed information about service principals registered with the tenant that had the Directory Reader's permission which helped me understand how an Office 365 tenant is kept isolated from various services. I shall discuss this in details in my next blog post.
For now , if you want to get the list of administrators in your Azure AD and Office 365 subscription use the following script:-
function Save-File([string] $initialDirectory )
{
[System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms") | Out-Null
$OpenFileDialog = New-Object System.Windows.Forms.SaveFileDialog
$OpenFileDialog.initialDirectory = $initialDirectory
$OpenFileDialog.filter = "CSV (*.csv)| *.csv"
$OpenFileDialog.ShowDialog() | Out-Null
return $OpenFileDialog.filename
}
Import-Module MSOnline;
Connect-MsolService;
$membership=Get-MsolRole |
select ObjectID,Name -OutVariable Group |
ForEach-Object {$grp=$_.Name;$GType=$_.ObjectID;Get-MsolRoleMember -RoleObjectId $_.ObjectID |
select EmailAddress,DisplayName,RoleMemberType,@{Name="AdminType";Expression={$grp} },@{Name="GroupObjectID";Expression={$GType} }};
$membership;
$File=Save-File
$membership|Export-Csv -Path $File -NoTypeInformation;
This shall give you the output as show in the illustration below:-
You shall be prompted to save this output in csv format at the end of execution of the code above.
Note:-Since, my blogging platform is not allowing me to use the code tag the formatting of the code might be lost while you copy it in clipboard. In case you are not able to run the script, you can download it from the link below:-
Depending upon the number of service principals and administrators the script might take some time to execute
You shall be able to get list of the following RBAC roles:-
Helpdesk Administrator
Service Support Administrator
Billing Administrator
Mailbox Administrator
Partner Tier1 Support
Partner Tier2 Support
Directory Readers
Exchange Service Administrator
Lync Service Administrator
User Account Administrator
Directory Writers
Company Administrator
Email Verified User Creator
AdHoc License Administrator
SharePoint Service Administrator
Device Users
Device Administrators
Device Join
Workplace Device Join
Compliance Administrator
Directory Synchronization Accounts
Device Managers
Application Administrator
Application Developer
Security Reader
Security Administrator
Privileged Role Administrator
Intune Service Administrator
Cloud Application Administrator
Customer LockBox Access Approver
CRM Service Administrator
Power BI Service Administrator
Guest Inviter
Conditional Access Administrator