List Microsoft Entra role definitions
A role definition is a collection of permissions that can be performed, such as read, write, and delete. It's typically just called a role. Microsoft Entra ID has over 60 built-in roles or you can create your own custom roles. If you ever wondered "What the do these roles really do?", you can see a detailed list of permissions for each of the roles.
This article describes how to list the Microsoft Entra built-in and custom roles along with their permissions.
Prerequisites
- Microsoft Graph PowerShell SDK installed when using PowerShell
For more information, see Prerequisites to use PowerShell.
Microsoft Entra admin center
Tip
Steps in this article might vary slightly based on the portal you start from.
Sign in to the Microsoft Entra admin center.
Browse to Identity > Roles & admins > Roles & admins.
On the right, select the ellipsis and then Description to see the complete list of permissions for a role.
The page includes links to relevant documentation to help guide you through managing roles.
PowerShell
Follow these steps to list Microsoft Entra roles using PowerShell.
Open a PowerShell window. If necessary, use Install-Module to install Microsoft Graph PowerShell. For more information, see Prerequisites to use PowerShell.
Install-Module Microsoft.Graph -Scope CurrentUserIn a PowerShell window, use Connect-MgGraph to sign in to your tenant.
Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes "RoleManagement.Read.All"Use Get-MgRoleManagementDirectoryRoleDefinition to get all roles.
Get-MgRoleManagementDirectoryRoleDefinitionTo view the list of permissions of a role, use the following cmdlet.
# Do this avoid truncation of the list of permissions $FormatEnumerationLimit = -1 (Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Conditional Access Administrator'").RolePermissions | Format-list