# List Admin Users ### Description Lists users and service principals holding built-in Entra ID roles and produces an admin-to-role report. Optionally queries each admin for registered authentication methods to assess MFA coverage. ### Location Organization → Security → List Admin Users **Full Runbook name** rjgit-org\_security\_list-admin-users ### Permissions #### Application permissions * **Type**: Microsoft Graph * User.Read.All * Directory.Read.All * RoleManagement.Read.All * RoleAssignmentSchedule.Read.Directory ### Parameters #### ExportToFile If set to true, exports the report to an Azure Storage Account. | Property | Value | | ------------- | ------- | | Required | false | | Default Value | True | | Type | Boolean | #### PimEligibleUntilInCSV If set to true, includes PIM eligible/active until information in the CSV report. | Property | Value | | ------------- | ------- | | Required | false | | Default Value | False | | Type | Boolean | #### ContainerName Name of the Azure Storage container to upload the CSV report to. | Property | Value | | ------------- | ------ | | Required | false | | Default Value | | | Type | String | #### ResourceGroupName Name of the Azure Resource Group containing the Storage Account. | Property | Value | | ------------- | ------ | | Required | false | | Default Value | | | Type | String | #### StorageAccountName Name of the Azure Storage Account used for upload. | Property | Value | | ------------- | ------ | | Required | false | | Default Value | | | Type | String | #### StorageAccountLocation Azure region for the Storage Account if it needs to be created. | Property | Value | | ------------- | ------ | | Required | false | | Default Value | | | Type | String | #### StorageAccountSku SKU name for the Storage Account if it needs to be created. | Property | Value | | ------------- | ------ | | Required | false | | Default Value | | | Type | String | #### QueryMfaState "Check and report every admin's MFA state" (final value: $true) or "Do not check admin MFA states" (final value: $false) can be selected as action to perform. | Property | Value | | ------------- | ------- | | Required | false | | Default Value | True | | Type | Boolean | #### TrustEmailMfa If set to true, regards email as a valid MFA method. | Property | Value | | ------------- | ------- | | Required | false | | Default Value | False | | Type | Boolean | #### TrustPhoneMfa If set to true, regards phone/SMS as a valid MFA method. | Property | Value | | ------------- | ------- | | Required | false | | Default Value | False | | Type | Boolean | #### TrustSoftwareOathMfa If set to true, regards software OATH token as a valid MFA method. | Property | Value | | ------------- | ------- | | Required | false | | Default Value | True | | Type | Boolean | #### TrustWinHelloMFA If set to true, regards Windows Hello for Business as a valid MFA method. | Property | Value | | ------------- | ------- | | Required | false | | Default Value | False | | Type | Boolean | [Back to Runbook Reference overview](/automation/runbooks/runbook-references.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.realmjoin.com/automation/runbooks/runbook-references/org/security/list-admin-users.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.