One of the things that’s difficult about documenting an environment is figuring out who has what role memberships. What makes finding this information frustrating from an automation and formatting perspective is that it’s difficult to get the necessary properties of various commands to come together easily.
In this case, I’m talking about Get-MsolRole and Get-MsolRoleMember. I was trying to get data for a project and needed to document all role memberships. Here’s what I ended up using:
$Roles = Get-MsolRole
[array]$Membership = New-Object PSCustomObject
Foreach ($Role in $Roles)
{
$RoleData = Get-MsolRoleMember -RoleObjectId $Role.ObjectId
Foreach ($Entry in $RoleData)
{
$Obj = [pscustomobject]@{
RoleName = $Role.Name
RoleID = $Role.ObjectId
MemberName = $Entry.DisplayName
MemberEmail = $Entry.EmailAddress
}
$Membership += $Obj
}
}
That way, you get the important data (the role name and ID, as well as the member’s name and email address)–each nicely separated out so you can do something with it. To view it, just look at the $Membership object:
This will only list current directly-assigned members (or those with active PIM assignments). To look at eligible role members, we’ll need to use a different command. 🙂