List Microsoft Entra role assignments
This article describes how to list roles you have assigned in Microsoft Entra ID using the Microsoft Entra admin center, Microsoft Graph PowerShell, or Microsoft Graph API.
Role assignments contain information linking a given security principal (a user, group, or application service principal) to a role definition. Listing users, groups, and assigned roles are default user permissions.
Scopes
In Microsoft Entra ID, roles can be assigned at different scopes.
- Role assignments at tenant scope are added to and can be seen in the list of single application role assignments.
- Role assignments at the single application scope aren't added to and can't be seen in the list of tenant scoped assignments.
Prerequisites
- Microsoft Graph PowerShell module when using PowerShell
For more information, see Prerequisites to use PowerShell.
List Microsoft Entra role assignments
Tip
Steps in this article might vary slightly based on the portal you start from.
List my role assignments
It's easy to list your own permissions as well. On the Roles and administrators page, select Your Role to see the roles that are currently assigned to you.
List role assignments for a user
Follow these steps to list Microsoft Entra roles for a user using the Microsoft Entra admin center. Your experience will be different depending on whether you have Microsoft Entra Privileged Identity Management (PIM) enabled.
Sign in to the Microsoft Entra admin center.
Browse to Identity > Users > All users.
Select user name > Assigned roles.
You can see the list of roles assigned to the user at different scopes. Additionally, you can see whether the role has been assigned directly or via a group.
If you have a Microsoft Entra ID P2 license, you'll see the PIM experience, which has eligible, active, and expired role assignment details.
List role assignments for a group
Sign in to the Microsoft Entra admin center.
Browse to Identity > Groups > All groups.
Select a role-assignable group.
To determine if a group is role-assignable, you can view the Properties for the group.
Select Assigned roles.
You can now see all the Microsoft Entra roles assigned to this group. If you don't see the Assigned roles option, the group is not a role-assignable group.
Download role assignments
To download all active role assignments across all roles, including built-in and custom roles, follow these steps.
Bulk operations can only run for up to 1 hour and has limitations in large tenants. For more information, see Bulk operations and Bulk create users in Microsoft Entra ID.
On the Roles and administrators page, select All roles.
Select Download assignments.
Specify a file name and select Start download.
A CSV file that lists assignments at all scopes for all roles is downloaded.
To download role assignments for a specific role, follow these steps.
On the Roles and administrators page, select a role.
Select Download assignments.
If you have a Microsoft Entra ID P2 license, you'll see the PIM experience. Select Export to download the role assignments.
A CSV file that lists assignments at all scopes for that role is downloaded.
List role assignments with tenant scope
This procedure describes how to list role assignments with tenant scope.
Sign in to the Microsoft Entra admin center.
Browse to Identity > Roles & admins > Roles & admins.
Select a role name to open the role. Don't add a check mark next to the role.
Select Assignments to list the role assignments.
In the Scope column, see the role assignments with Directory scope.
List role assignments with app registration scope
This section describes how to list role assignments with single-application scope.
Sign in to the Microsoft Entra admin center.
Browse to Identity > Applications > App registrations.
Select an app registration for the list of role assignments you want to view.
You might have to select All applications to see the complete list of app registrations in your Microsoft Entra organization.
Select Roles and administrators.
Select a role name to open the role.
Select Assignments to list the role assignments.
Opening the assignments page from within the app registration shows you the role assignments that are scoped to this Microsoft Entra resource.
In the Scope column, see the role assignments with This resource scope.
List role assignments with administrative unit scope
You can view all the role assignments created with an administrative unit scope in the Admin units section of the Microsoft Entra admin center.
Sign in to the Microsoft Entra admin center.
Browse to Identity > Roles & admins > Admin units.
Select an administrative unit for the list of role assignments you want to view.
Select Roles and administrators.
Select a role name to open the role.
Select Assignments to list the role assignments.
In the Scope column, see the role assignments with This resource scope.