Microsoft Entra ID Privileged Role Inventory Tool

Microsoft Entra ID Privileged Role Inventory Tool

The Microsoft Entra ID Privileged Role Inventory Tool is a read-only PowerShell-based utility designed to discover, analyze, and report on privileged role assignments within a Microsoft Entra ID tenant.

The tool identifies high-privilege administrative roles and enumerates all assigned identities, providing both detailed and summarized visibility into administrative access across the environment.

It displays role assignments with associated user names and aggregates counts per role, enabling quick assessment of privilege distribution and potential overexposure.

Where supported, the tool also attempts to retrieve Privileged Identity Management (PIM) eligible role assignments.

In environments without the required licensing, the tool gracefully handles this limitation without interrupting execution.

This tool is intended for security auditing, access reviews, compliance validation, and baseline assessments of administrative privilege within a tenant.

It provides actionable insight into who has elevated access and how that access is distributed across critical roles.

The script runs in Azure Cloud Shell and uses Microsoft Graph PowerShell for data retrieval. All operations are read-only and do not modify any tenant resources.

Requirements:

Execution Environment:

- Azure Cloud Shell (PowerShell) recommended

- PowerShell 7+ (if running locally)

- Internet connectivity to Microsoft Graph

Authentication:

- Microsoft Graph authentication is required before running the tool:

  Connect-MgGraph -Scopes "RoleManagement.Read.Directory","Directory.Read.All"

Permissions (Microsoft Entra ID / Microsoft Graph):

- RoleManagement.Read.Directory (Read Role Assignments)

- Directory.Read.All (Read Directory Objects)

Optional Permissions (For Extended Visibility):

- User.Read.All  (Resolve User Details)

Modules:

- Microsoft Graph PowerShell Module

Required Graph Components:

- Microsoft.Graph.Identity.DirectoryManagement

- Microsoft.Graph.Users (Optional for enhanced identity resolution)

Licensing Considerations:

- Privileged Identity Management (PIM) data requires Microsoft Entra ID P2 or Governance licensing

- If not available, PIM-related sections will be skipped automatically (In Red will indicate that P2 license is required)

Notes:

- The Tool Performs Read-Only Operations

- No Changes are made to Roles, Users, or Permissions

- Output is Based on the Permissions of the Authenticated Account running the Tool

==========================================================

Disclaimer:

This tool is provided for informational, audit, and assessment

purposes only. It performs read-only operations and does not

modify any Microsoft Entra ID roles, users, or permissions.

The accuracy and completeness of the results depend on the

permissions granted to the authenticated account. Some data

may be limited or unavailable based on role-based access

controls or licensing (such as Microsoft Entra ID P2 for PIM).

This tool should not be considered a replacement for formal

security reviews, compliance assessments, or Microsoft

recommended governance practices.

The author assumes no responsibility for any errors, omissions,

or decisions made based on the output of this tool.