Get PIM Role Assignment Status For Azure AD Using Powershell

If you’re like me and you love to run reports to get valuable information for your tenant and settings, the get PIM role assignment status is the script for you. Recently I was running a report to audit user permissions in Azure AD and realized that my data was off by a bit. I knew some users were added to Privilege Identity Management (PIM) roles but they weren’t showing up in my report.

The reason they weren’t showing up is because I was using the Get-AzureADDirectoryRoleMember cmdlet and that only shows users with current or activated access. If a user was not elevated in PIM, they basically didn’t have access so it skewing my results.

Get AzureADDirectoryRole Users Azure AD


To give you a better idea of what I’m talking about, the above is a sample of the Helpdesk Administrators role. In the Azure AD GUI, the user is added as an eligible role, meaning he can elevate his just in time access. However in Powershell, since the role is not activated, it is not going to display.

Therefore we are going to use the Get-AzureADMSPrivilegedRoleDefinition Azure AD cmdlet to display the list of roles available and the Get-AzureADMSPrivilegedRoleAssignment to filter for the user we’re specifying.

Requirements for this script to work

In order to make this work you’ll need the following:

  • AzureADPreview Powershell module.

I want to emphasize the “preview” in the name of the module. Using just the regular AzureAD module is not not going to work so that’s something to keep in mind.

Script Parameters


Specify the UserPrincipalName for the user you want to check roles for.


By default it will use the TenantId from your current session. If you’re connected to a multi-tenant, you can specify the tenant here.

Get PIM Role Assignment Status For Azure AD Using Powershell

By using this script you’ll be able to see all the people who have standing access as well as PIM eligible roles.

Function Get-PIMRoleAssignment {
    This will check if a user is added to PIM or standing access.
    For updated help and examples refer to -Online version.

    Name: Get-PIMRoleAssignment
    Author: theSysadminChannel
    Version: 1.0
    DateCreated: 2021-May-15

    Get-PIMRoleAssignment -UserPrincipalName [email protected]

    https://thesysadminchannel.com/get-pim-role-assignment-status-for-azure-ad-using-powershell -

            Mandatory = $true,
            Position  = 0
        [string[]]  $UserPrincipalName,

        [string]    $TenantId

    BEGIN {
        $SessionInfo = Get-AzureADCurrentSessionInfo -ErrorAction Stop
        if (-not ($PSBoundParameters.ContainsKey('TenantId'))) {
            $TenantId = $SessionInfo.TenantId

        $AdminRoles = Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $TenantId -ErrorAction Stop | select Id, DisplayName

        Foreach ($User in $UserPrincipalName) {
            try {
                $AzureUser = Get-AzureADUser -ObjectId $User -ErrorAction Stop | select DisplayName, UserPrincipalName, ObjectId
                $UserRoles = Get-AzureADMSPrivilegedRoleAssignment -ProviderId aadRoles -ResourceId $TenantId -Filter "subjectId eq '$($AzureUser.ObjectId)'"

                if ($UserRoles) {
                    foreach ($Role in $UserRoles) {
                        $RoleObject = $AdminRoles | Where-Object {$Role.RoleDefinitionId -eq $_.id}

                            UserPrincipalName = $AzureUser.UserPrincipalName
                            AzureADRole       = $RoleObject.DisplayName
                            PIMAssignment     = $Role.AssignmentState
            } catch {
                Write-Error $_.Exception.Message


    END {}


Get PIM Role Assignment Status For Azure AD Using Powershell


We can now see that the Helpdesk Administrator is now showing up in our output and in the Assignment column it is labeled as Eligible.


Get PIM role assignment status for Azure AD using Powershell will now be in your arsenal of cool tips and tricks for your Syadmin role. If you’re interested in more scripts like this, be sure to check out our Powershell Gallery or Azure Content. Finally, be sure to check out our Youtube Channel for any video content.


Hi, my name is Paul and I am a Sysadmin who enjoys working on various technologies from Microsoft, VMWare, Cisco and many others. Join me as I document my trials and tribulations of the daily grind of System Administration.