PIMSCAN
Tool for creating reports on Entra ID Role Assignments
Install / Use
/learn @canix1/PIMSCANREADME
Prerequisites
- PowerShell Module: MSAL.PS
Install-module MSAL.PS -Scope CurrentUser -Force -Confirm:$False
Minumum Permissions with limited data
-
Use the parameter -LimitedReadOnly, .\PIMSCAN.ps1 -TenantId [Tenant ID] -Show -verbose -LimitedReadOnly
-
Global Reader role
-
Consent for these:
- AdministrativeUnit.Read.All
- Directory.Read.All
- Group.Read.All
- PrivilegedAccess.Read.AzureAD
- PrivilegedAccess.Read.AzureADGroup
- PrivilegedAccess.Read.AzureResources
- PrivilegedAssignmentSchedule.Read.AzureADGroup
- PrivilegedEligibilitySchedule.Read.AzureADGroup
- RoleAssignmentSchedule.Read.Directory
- RoleEligibilitySchedule.Read.Directory
- RoleManagement.Read.All
- RoleManagement.Read.Directory
- RoleManagementAlert.Read.Directory
- RoleManagementPolicy.Read.Directory
- RoleManagementPolicy.Read.AzureADGroup
- User.Read
- User.Read.All
- offline_access
Run the following grant command as a Global Admin to grant a specific user the read-only scopes.
Install-Module Microsoft.Graph -Scope CurrentUser
connect-MgGraph -Scopes "Directory.AccessAsUser.All" -TenantId "<Your Tenant ID>"
$scopesOnlyRead = "AdministrativeUnit.Read.All Directory.Read.All Group.Read.All PrivilegedAccess.Read.AzureAD PrivilegedAccess.Read.AzureADGroup PrivilegedAccess.Read.AzureResources PrivilegedAssignmentSchedule.Read.AzureADGroup PrivilegedEligibilitySchedule.Read.AzureADGroup RoleAssignmentSchedule.Read.Directory RoleEligibilitySchedule.Read.Directory RoleManagement.Read.All RoleManagement.Read.Directory RoleManagementAlert.Read.Directory RoleManagementPolicy.Read.Directory RoleManagementPolicy.Read.AzureADGroup User.Read User.Read.All offline_access"
$params = @{
# Microsoft Graph Command Line Tools
ClientId = "4ad243ae-ea7f-4496-949e-4c64f1e96d71"
# Singe User Consent
ConsentType = "Principal"
# Prinicpal to allow consent for
PrincipalId = "<Prinicipal Object ID>"
# GraphAggregatorService
ResourceId = "4131d640-34dd-4690-ad11-45ddcd773304"
# List of scopes/permissions
Scope = $scopesOnlyRead
}
New-MgOauth2PermissionGrant -BodyParameter $params
You will not be able to collect the data in the table below with Read-Only
|Object|Attribute|Description|Required Permission| | -------- | ------- | -------- | -------- | |roleAssignmentScheduleRequests|justification|Supplied justification|RoleEligibilitySchedule.ReadWrite.Directory| |roleAssignmentScheduleRequests|status|State of the request|RoleEligibilitySchedule.ReadWrite.Directory| |roleAssignmentScheduleRequests|createdDateTime|Creation date of the request|RoleEligibilitySchedule.ReadWrite.Directory| |roleEligibilityScheduleRequests|justification|Supplied justification|RoleEligibilitySchedule.ReadWrite.Directory| |roleEligibilityScheduleRequests|status|State of the request|RoleEligibilitySchedule.ReadWrite.Directory| |roleEligibilityScheduleRequests|createdDateTime|Creation date of the request|RoleEligibilitySchedule.ReadWrite.Directory|
Full access with Write scopes for roleAssignmentScheduleRequests and roleEligibilityScheduleRequests.
-
You must have or be able to consent to the following scopes for the enterprise app Microsoft Graph Command Line Tools
- AdministrativeUnit.Read.All
- Directory.Read.All
- Group.Read.All
- PrivilegedAccess.Read.AzureAD
- PrivilegedAccess.Read.AzureADGroup
- PrivilegedAccess.Read.AzureResources
- PrivilegedAssignmentSchedule.Read.AzureADGroup
- PrivilegedEligibilitySchedule.Read.AzureADGroup
- RoleAssignmentSchedule.Read.Directory
- RoleAssignmentSchedule.ReadWrite.Directory
- RoleEligibilitySchedule.Read.Directory
- RoleEligibilitySchedule.ReadWrite.Directory
- RoleManagement.Read.All
- RoleManagement.Read.Directory
- RoleManagementAlert.Read.Directory
- RoleManagementPolicy.Read.Directory
- RoleManagementPolicy.Read.AzureADGroup
- User.Read
- User.Read.All
- offline_access
Run the following grant command as a Global Admin to grant a specific user the read-only scopes.
Install-Module Microsoft.Graph -Scope CurrentUser
connect-MgGraph -Scopes "Directory.AccessAsUser.All" -TenantId "<Your Tenant ID>"
$scopesWrite = "AdministrativeUnit.Read.All Directory.Read.All Group.Read.All PrivilegedAccess.Read.AzureAD PrivilegedAccess.Read.AzureADGroup PrivilegedAccess.Read.AzureResources PrivilegedAssignmentSchedule.Read.AzureADGroup PrivilegedEligibilitySchedule.Read.AzureADGroup RoleAssignmentSchedule.Read.Directory RoleAssignmentSchedule.ReadWrite.Directory RoleEligibilitySchedule.Read.Directory RoleEligibilitySchedule.ReadWrite.Directory RoleManagement.Read.All RoleManagement.Read.Directory RoleManagementAlert.Read.Directory RoleManagementPolicy.Read.Directory RoleManagementPolicy.Read.AzureADGroup User.Read User.Read.All offline_access"
$params = @{
# Microsoft Graph Command Line Tools
ClientId = "4ad243ae-ea7f-4496-949e-4c64f1e96d71"
# Singe User Consent
ConsentType = "Principal"
# Prinicpal to allow consent for
PrincipalId = "<Prinicipal Object ID>"
# GraphAggregatorService
ResourceId = "4131d640-34dd-4690-ad11-45ddcd773304"
# List of scopes/permissions
Scope = $scopesWrite
}
New-MgOauth2PermissionGrant -BodyParameter $params
Usage
Read-Only Limited
.\PIMSCAN.ps1 -TenantId <TenantID> -Show -Verbose -LimitedReadOnly
Get all data
.\PIMSCAN.ps1 -TenantId <TenantID> -Show -Verbose
Results are saved in a HTML file.
Open the Entra_ID_Role_Report_[TenantID].html if you did not used the -Show parameter.
<br>Related Skills
node-connect
344.1kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
96.8kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
344.1kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
qqbot-media
344.1kQQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。
