List Admin Users

Description

Lists users and service principals holding built-in Entra ID roles and produces an admin-to-role report. Optionally queries each admin for registered authentication methods to assess MFA coverage.

Location

Organization → Security → List Admin Users

Full Runbook name

rjgit-org_security_list-admin-users

Permissions

Application permissions

• Type: Microsoft Graph

  • User.Read.All

  • Directory.Read.All

  • RoleManagement.Read.All

  • RoleAssignmentSchedule.Read.Directory

Parameters

ExportToFile

If set to true, exports the report to an Azure Storage Account.

PimEligibleUntilInCSV

If set to true, includes PIM eligible/active until information in the CSV report.

ContainerName

Name of the Azure Storage container to upload the CSV report to.

ResourceGroupName

Name of the Azure Resource Group containing the Storage Account.

StorageAccountName

Name of the Azure Storage Account used for upload.

StorageAccountLocation

Azure region for the Storage Account if it needs to be created.

StorageAccountSku

SKU name for the Storage Account if it needs to be created.

QueryMfaState

"Check and report every admin's MFA state" (final value: $true) or "Do not check admin MFA states" (final value: $false) can be selected as action to perform.

TrustEmailMfa

If set to true, regards email as a valid MFA method.

TrustPhoneMfa

If set to true, regards phone/SMS as a valid MFA method.

TrustSoftwareOathMfa

If set to true, regards software OATH token as a valid MFA method.

TrustWinHelloMFA

If set to true, regards Windows Hello for Business as a valid MFA method.

Back to Runbook Reference overview