List Azure AD role assignments

This article describes how to list roles you have assigned in Azure Active Directory (Azure AD). In Azure Active Directory (Azure AD), roles can be assigned at an organization-wide scope or with a single-application scope.

  • Role assignments at the organization-wide scope are added to and can be seen in the list of single application role assignments.
  • Role assignments at the single application scope aren't added to and can't be seen in the list of organization-wide scoped assignments.

Prerequisites

  • AzureADPreview module when using PowerShell
  • Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal

This procedure describes how to list role assignments with organization-wide scope.

  1. Sign in to the Azure portal or Azure AD admin center.

  2. Select Azure Active Directory > Roles and administrators and then select a role to open it and view its properties.

  3. Select Assignments to list the role assignments.

    List role assignments and permissions when you open a role from the list

List my role assignments

It's easy to list your own permissions as well. Select Your Role on the Roles and administrators page to see the roles that are currently assigned to you.

Download role assignments

To download all assignments for a specific role, on the Roles and administrators page, select a role, and then select Download role assignments. A CSV file that lists assignments at all scopes for that role is downloaded.

download all assignments for a role

List role assignments with single-application scope

This section describes how to list role assignments with single-application scope. This feature is currently in public preview.

  1. Sign in to the Azure portal or Azure AD admin center.

  2. Select Azure Active Directory > App registrations, and then select the app registration to view its properties. You might have to select All applications to see the complete list of app registrations in your Azure AD organization.

    Create or edit app registrations from the App registrations page

  3. In the app registration, select Roles and administrators, and then select a role to view its properties.

    List app registration role assignments from the App registrations page

  4. Select Assignments to list the role assignments. Opening the assignments page from within the app registration shows you the role assignments that are scoped to this Azure AD resource.

    List app registration role assignments from the properties of an app registration

PowerShell

This section describes viewing assignments of a role with organization-wide scope. This article uses the Azure Active Directory PowerShell Version 2 module. To view single-application scope assignments using PowerShell, you can use the cmdlets in Assign custom roles with PowerShell.

Example of listing the role assignments.

# Fetch list of all directory roles with template ID
Get-AzureADMSRoleDefinition

# Fetch a specific directory role by ID
$role = Get-AzureADMSRoleDefinition -Id "5b3fe201-fa8b-4144-b6f1-875829ff7543"

# Fetch membership for a role
Get-AzureADMSRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"

Microsoft Graph API

This section describes how to list role assignments with organization-wide scope. To list single-application scope role assignments using Graph API, you can use the operations in Assign custom roles with Graph API.

HTTP request to get a role assignment for a given role definition.

GET

https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments&$filter=roleDefinitionId eq ‘<template-id-of-role-definition>’

Response

HTTP/1.1 200 OK
{
    "id":"CtRxNqwabEKgwaOCHr2CGJIiSDKQoTVJrLE9etXyrY0-1",
    "principalId":"ab2e1023-bddc-4038-9ac1-ad4843e7e539",
    "roleDefinitionId":"3671d40a-1aac-426c-a0c1-a3821ebd8218",
    "directoryScopeId":"/"
}

Next steps