Coding Stephan

Extract all Azure AD admin accounts

Powershell is pretty powerful for all kind of administrative tasks, especially if you load some extra modules. We use the AzureAD module for a lot of tasks that can be (semi-)automated with the use of some script. In this post I described how to extract all users from Azure AD as a regular user, and what you should do about it.

Extracting users isn’t the only thing you can do with Azure AD powershell and this page shows how to export all Azure AD global admins (which can be executed by ANY user in your tenant unless you take action against that.)

Install AzureAD module

Installing a module should be a breeze, for completeness, here is the command:

Install-Module AzureAD
# or just importing if previously installed
# Import-Module AzureAD

Get all Global Admins

Let’s say you want all the available users in your tenant “safely” stored in a CSV file on your local machine.

# This will open a Microsoft login screen and save the resulting session
$session = Connect-AzureAD

# Load the correct role (change name for other role)
# or Get-AzureADDirectoryRole for all roles
$role = get-azureaddirectoryrole -Filter "DisplayName eq 'Global Administrator'"
$admins = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId

# Show admins
$admins | Format-Table

That was easy, 4 lines of “code” and you know which user accounts have access to all Azure AD resources in your organization.

Get all admins single line of code

For faster copy/pasting, here is the same code as a one-liner.

$session = Connect-AzureAD; $role = get-azureaddirectoryrole -Filter "DisplayName eq 'Global Administrator'"; Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Format-Table

Other roles

Finding a global admin account might be really useful. If you’re targeting some specific application, members of a different role might also be enough. Azure AD built-in roles describes all the roles that Azure AD has built-in.

The Application Administrator is interesting since it can add additional applications which might grant access to other parts of the directory.