-
Notifications
You must be signed in to change notification settings - Fork 249
Report Global Admins
directorcia edited this page Mar 31, 2026
·
1 revision
graph-globaladmins-get.ps1 reports members of the Microsoft Entra ID Global Administrator role by querying Microsoft Graph.
The script:
- Authenticates to Microsoft Graph.
- Resolves the Global Administrator role by role template ID.
- Retrieves all members of that role (with paging support).
- Normalizes returned data into a consistent object shape.
- Displays results in a formatted table.
- Optionally exports results to CSV.
- Script:
graph-globaladmins-get.ps1
Type: switch
Default: False
Behavior:
- When supplied, exports the final summary to a CSV file.
- When omitted, the script only displays results in the console.
Example:
. .\graph-globaladmins-get.ps1 -csvType: string
Default: ..\graph-globaladmins.csv
Behavior:
- Specifies the CSV destination path when
-csvis used. - Accepts relative or absolute paths.
Example:
. .\graph-globaladmins-get.ps1 -csv -OutputFile .\reports\global-admins.csvThe script connects with:
RoleManagement.Read.DirectoryUser.Read.All
You must sign in with an account that can grant or use these delegated permissions in your tenant.
- PowerShell 7+ (recommended) or Windows PowerShell 5.1.
- Microsoft Graph PowerShell SDK installed (minimum requirement is support for
Connect-MgGraphandInvoke-MgGraphRequest). - Network access to
graph.microsoft.com.
Install Graph SDK (if needed):
Install-Module Microsoft.Graph -Scope CurrentUserRun from PowerShell:
. 'C:\downloads\source\office365\graph-globaladmins-get.ps1'With CSV export:
. 'C:\downloads\source\office365\graph-globaladmins-get.ps1' -csvWith custom CSV path:
. 'C:\downloads\source\office365\graph-globaladmins-get.ps1' -csv -OutputFile 'C:\temp\global-admins.csv'- Applies strict scripting behavior:
Set-StrictMode -Version Latest$ErrorActionPreference = "Stop"
- Connects to Graph:
- Calls
Connect-MgGraphwith required scopes.
- Resolves role using Global Administrator role template ID:
- Role template ID:
62e90394-69f5-4237-9190-012177145e10 - Query:
GET /v1.0/directoryRoles?$filter=roleTemplateId eq '62e90394-69f5-4237-9190-012177145e10'
- Retrieves role members:
- Query:
GET /v1.0/directoryRoles/{roleId}/members?$select=id,displayName,userPrincipalName
- Uses paging with
@odata.nextLinkuntil all pages are collected.
- Normalizes member properties:
- Supports multiple response shapes:
- Direct object properties.
- Dictionary/hashtable payloads.
-
AdditionalPropertiesdictionaries.
- Enriches user records when needed:
- If a member is type
#microsoft.graph.userand key fields are missing, performs:GET /v1.0/users/{id}?$select=id,displayName,userPrincipalName
- Builds output objects:
IdDisplayNameUserPrincipalNamePrincipalType
-
Sorts by
DisplayNameand writes table output. -
Optionally exports UTF-8 CSV when
-csvis used. -
Always attempts to disconnect Graph in
finally.
Each row includes:
-
DisplayName: principal display name. -
UserPrincipalName: user sign-in name (usually null for non-user principals). -
PrincipalType:User, Graph type (for non-users), orUnknown. -
Id: object ID.
- Any terminating error is caught and written with
Write-Error. - Script exits with code
1on failure. - If the Global Administrator role is not found, the script throws:
Unable to locate the Global Administrator directory role in this tenant.
- Disconnect errors are intentionally ignored in cleanup to avoid masking the primary failure.
Cause:
- Graph responses can vary in shape.
Current handling:
- The script reads fields from direct properties, dictionaries, and
AdditionalProperties.
If issue persists:
- Confirm permissions/scopes were consented.
- Retry in a fresh PowerShell session.
Typical symptom:
- Assembly load conflicts referencing
Microsoft.Graph.Authenticationin long-lived sessions.
Mitigation in this script:
- Uses
Invoke-MgGraphRequestfor data retrieval paths to reduce dependency on typed cmdlets.
Potential causes:
- No active Global Administrator role instance returned by Graph in current context.
- Tenant or account context mismatch.
- Insufficient permissions.
Checks:
- Run
Get-MgContextafter sign-in and verify account/tenant. - Verify consent for
RoleManagement.Read.DirectoryandUser.Read.All.
- CSV export path is resolved by PowerShell relative to the current working directory unless an absolute path is provided.
- Output can include users and non-user principals assigned to the role.
- This script is read-only and does not modify tenant configuration.