HOWTO: Get an overview of the Privileged roles assigned within an Azure AD tenant

Unless you’re using the Azure AD Privileged Identity Management (PIM) portal features from your tenant’s Azure AD Premium P2 licenses, you might have a hard time to get an overview of the Privileged roles assigned within an Azure AD tenant.

There is, however, a free, easy and Microsoft-supported way, using the AzureADIncidentResponse Windows PowerShell module.

Getting ready

First, we need to install the Windows PowerShell modules we need. Perform the following lines of Windows PowerShell in an elevated Windows PowerShell session:

Install-Module AzureAD -Force

Install-Module MSOnline -Force

Install-PackageProvider NuGet -Force

Install-Module PowerShellGet -Force

&(Get-Process -Id $pid).Path -Command { Install-Module MSAL.PS }

Install-Module AzureADIncidentResponse

 

Note:
We need to install both the AzureAD and MSOnline modules, as the output of these modules differs. This is the state of Azure AD PowerShell today. The above lines update the PowerShell modules, if you don’t run the latest versions.

Note:
If you receive error ‘Unable to download’ when you try to install the AzureAD or MSOnline PowerShell Module, use these steps to resolve the situation.

Getting Azure AD Privileged roles

Microsoft shared its Azure AD Incident Response Windows PowerShell module on the PowerShell Gallery. Using the cmdlets in this Windows PowerShell module, we can easily get an overview of the Privileged roles assigned within an Azure AD tenant.

Run the following lines of Windows PowerShell to do so:

Import-Module AzureADIncidentResponse

Connect-AzureADIR <YourTenantId>

Sign in with an account with sufficient permissions to read privileged roles within your Azure AD tenant. By default, any user account and guest account can be used, unless account enumeration is disabled in Azure Active Directory. By default, any guest user account can be used, unless their permissions have been restricted.

Get-AzureADIRPrivilegedRoleAssignment <YourTenantId> | Out-GridView

These lines of Windows PowerShell result in a GridView window displaying the DirectoryRole containing the privileged role assignment and its DirectoryRoleObjectId. Per role, the RoleMemberName, RoleMemberObjectType (typically User or ServicePrinicpal), RoleMemberUPN and RoleMemberObjectId are displayed. The RoleMemberEnabled column provides information on the status of the role assignment. RoleMemberMail and RoleMemberAlternateEmail can be used to contact a privileged user if need be. Finally, RoleMemberOnPremDn provides the distinguished name (DN) attribute for the privileged user, if the user is synchronized from on-premises.

This information is presented per privileged role. If a user or service principal has multiple roles, multiple lines indicate these role memberships.

The information can be used to:

  • Get a quick overview of privileged users, even if the Azure AD tenant uses Azure AD free licenses.
  • Seek out dangerous service principals with privileged roles.

Concluding

While initially conceived as an incident response tool, the Azure AD Incident Response Windows PowerShell module proves useful for many other investigations.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.