when I run this command:
Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $global:varTenant.ObjectId | Format-List
None of the results have any values for the fields I've outlined in red. For example, roles that I know have active assignments don't show any value in the ActiveAssignmentCount property. How can I get those values to populate?
I tried in my environment and got below results:
When I execute the commands and got same output like below :
Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $global:varTenant.ObjectId | Format-List
PIM.You can get the active and eligible assignments by running this command:
Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId "< tenant Id >" -Filter "subjectId eq '< User id>'''
Output:
Make use of below scripts to get the Active assignments count and Eligible assignments count.
Activeassignmentscount:
To get the specific user for Activeassignmentcount you can use this script.
$Pims= Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId "< Tenant ID>" -Filter "subjectId eq '< User object Id >'"
$count=0
Foreach($pim in $Pims.AssignmentState)
{
If($pim -eq “Active” )
{
$count++
$ActiveAssignmentCount=$count
}
}
Write-Host "ActiveAssignmentCount = " $ActiveAssignmentCount
Write-Host " "
Powershell:
Eligibleassignmentscount:
To get the specific user for Eligibleassignmentcount you can use this script.
$Pims= Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId "< Tenantid >" -Filter "subjectId eq 'userid'"
$count=0
Foreach($pim in $Pims.AssignmentState)
{
If($pim -eq “Eligible” )
{
$count++
$EligibleAssignmentCount=$count
}
}Write-Host "EligibleAsssignmentCount = " $EligibleAssignmentCount Write-Host " "
Refer this link you can also get the process through graph explorer.
