View roles assigned to a group in Azure Active Directory

This section describes how the roles assigned to a group can be viewed using the Azure portal. Viewing groups and assigned roles are default user permissions.

Prerequisites

  • AzureAD module when using PowerShell
  • Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal

  1. Sign in to the Azure portal or Azure AD admin center.

  2. Select Azure Active Directory > Groups.

  3. Select a role-assignable group that you are interested in.

  4. Select Assigned roles. You can now see all the Azure AD roles assigned to this group.

    View all roles assigned to a selected group

PowerShell

Get object ID of the group

Get-AzureADMSGroup -SearchString "Contoso_Helpdesk_Administrators"

View role assignment to a group

Get-AzureADMSRoleAssignment -Filter "principalId eq '<object id of group>" 

Microsoft Graph API

Get object ID of the group

GET https://graph.microsoft.com/beta/groups?$filter=displayName+eq+'Contoso_Helpdesk_Administrator'

Get role assignments to a group

GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments?$filter=principalId eq

Next steps