A little help please with Get-AzADObject

I greatly appreciate your help.  This results in a series of the below error:

Get-AzADUser: 
Line |
  20 |          $principal = Get-AzADUser -ObjectId $principalId -ErrorAction …
     |                                              ~~~~~~~~~~~~
     | Cannot bind argument to parameter 'ObjectId' because it is an empty string.

Should I change Principal to PrincipalID everywhere?

It looks like you're mixing AzureAD and Az PowerShell modules, which are separate. Get-AzADObject is not a valid cmdlet in the Az module. Instead, use Get-AzADUser for users and Get-AzADGroup for groups.

Here’s a corrected version of your script:

Fixed Issues:

1. Incorrect Cmdlet: Get-AzADObject doesn’t exist. Instead:
   • Use Get-AzADUser for users.
   • Use Get-AzADGroup for groups.
2. Missing Scope in Loop: The foreach loop for $roleAssignments wasn’t properly enclosed.
3. Fixing ObjectType Handling: Since the PrincipalId could belong to a user or group, we check its type.

Corrected PowerShell Script:

# Connect to Azure
Connect-AzAccount

# Define the Azure roles to check
$roles = "Owner", "Contributor", "Storage Blob Data Contributor"

# Create an empty array to store the results
$results = @()

# Loop through each role
foreach ($role in $roles) {
    # Get role assignments for the current role
    $roleAssignments = Get-AzRoleAssignment -RoleDefinitionName $role

    # Loop through each role assignment
    foreach ($assignment in $roleAssignments) {
        $principalId = $assignment.PrincipalId

        # Try to get the user first
        $principal = Get-AzADUser -ObjectId $principalId -ErrorAction SilentlyContinue

        # If not a user, check if it's a group
        if (-not $principal) {
            $principal = Get-AzADGroup -ObjectId $principalId -ErrorAction SilentlyContinue
        }

        # If we found a principal, add to results
        if ($principal) {
            $result = [PSCustomObject]@{
                Role = $role
                DisplayName = $principal.DisplayName
                UserPrincipalName = if ($principal.UserPrincipalName) { $principal.UserPrincipalName } else { "N/A" }
                ObjectType = if ($principal.ObjectType) { $principal.ObjectType } else { "Unknown" }
            }

            # Add the result to the array
            $results += $result
        }
    }
}

# Export the results to a CSV file
$results | Export-Csv -Path "C:\Temp\AzureRoleUsers.csv" -NoTypeInformation

Write-Output "Export complete. File saved at C:\Temp\AzureRoleUsers.csv"

Key Fixes:

✅ Uses Get-AzADUser instead of Get-AzADObject
✅ Handles both users and groups correctly
✅ Adds error handling (-ErrorAction SilentlyContinue) to avoid failures
✅ Ensures $roleAssignments is correctly looped over

This should now work for your security reviews. Let me know if you run into any issues! 🚀

Hi ktc2,

The Microsoft AzureAD module has been deprecated for quite some time now meaning it's discouraged from being used. That said, you don't need it or its replacement (the Microsoft.Graph suite of modules) for the task you're performing.

Your call to Get-AzRoleAssignment (which uses the Microsoft Az modules) produces all the resultant attributes contained in your PSCustomObject, meaning you don't have to make additional calls using any other modules.

Technically, what the data you're pulling is achievable with a single line (first example), which I'll also include in a more readable form (second example). If you decide you want more data relating to the user then that's the point at which you'd break out into leveraging the Microsoft.Graph suite of modules (specifically, the Get-MgUser or Get-MgBetaUser commandlets).

It's worth noting that if your organisation has more than one subscription, you'd need to iterate through each subscription, running this command for each.

Example command

# As a single line.
@("Owner", "Contributor", "Storage Blob Data Contributor") | ForEach-Object { Get-AzRoleAssignment -RoleDefinitionName $_ | ForEach-Object { [PSCustomObject] @{ Role = $_.RoleDefinitionName; DisplayName = $_.DisplayName; UserPrincipalName = $_.SignInName; ObjectType = $_.ObjectType; }; } } | Export-Csv -NoTypeInformation -Path "D:\Data\Temp\Forum\forum.csv";

# Again, just a little more readable.
@("Owner", "Contributor", "Storage Blob Data Contributor") | ForEach-Object {
    Get-AzRoleAssignment -RoleDefinitionName $_ | ForEach-Object {
        [PSCustomObject] @{
            Role = $_.RoleDefinitionName;
            DisplayName = $_.DisplayName;
            UserPrincipalName = $_.SignInName;
            ObjectType = $_.ObjectType;
        };
    }
} | Export-Csv -NoTypeInformation -Path "D:\Data\Temp\Forum\forum.csv";

Cheers,

Lain