Unknown Role Assignments fetched via MS Graph on B2C tenant #3388
Description
Describe the bug
From the output of the command Get-MgRoleManagementDirectoryRoleAssignment you can see multiple role assignments on privileged roles. It is expected that all these assignments can be found and be identified in MS Entra ID from Azure Portal which is not the case here.
In my case I see 6 assignments from this command's output defined for the MS Entra ID Global Administrator role but in Azure portal I see only two users assigned to this role. Of course I checked all the groups and service principals and none of them have this GA role assigned. I checked soft-deleted users and soft-deleted groups and there are no users or groups which are in soft-deleted state.
I'm absolutely sure that there wasn't any recent update (operation) regarding the users, groups, service principals or role assignments. I have this problem for 2 days now.
When I compare the values in the field PrincipalID (from the MgRoleManagementDirectoryRoleAssignment output) with MS Entra ID GA role assignments, two IDs are perfectly matching two users. However the rest of IDs displayed from the output are totally unknown for me and I struggle to identify them. I think this assignments are somehow obsolete or not relevant and it may be a bug from the MS Graph module.
I experienced this problem solely on a single B2C tenant. I'm not sure right now if the problem is in the tenant or in the module itself.
Expected behavior
Expected behavior is that the output from the command Get-MgRoleManagementDirectoryRoleAssignment will fit the reality in MS Entra ID Roles Assignments in Azure Portal on identities: User, Group, Service principal or Managed Identity.
How to reproduce
Here are to commands for reproducing the issue on a B2C tenant:
Connect-MgGraph -tenantId {B2C_tenant_id}
$DefinedPrivilegedRoles = @(
'Application Administrator',
'Application Developer',
'Attribute Provisioning Administrator',
'Attribute Provisioning Reader',
'Authentication Administrator',
'Authentication Extensibility Administrator'
'B2C IEF Keyset Administrator'
'Cloud Application Administrator',
'Cloud Device Administrator',
'Conditional Access Administrator',
'Directory Writers',
'Domain Name Administrator',
'External Identity Provider Administrator',
'Global Administrator',
'Global Reader',
'Helpdesk Administrator',
'Hybrid Identity Administrator',
'Intune Administrator',
'Lifecycle Workflows Administrator',
'Password Administrator',
'Privileged Authentication Administrator',
'Privileged Role Administrator',
'Security Administrator',
'Security Operator',
'Security Reader',
'User Administrator',
'Exchange Administrator',
'SharePoint Administrator',
'Teams Administrator'
)
$privilegedRoles = Get-MgDirectoryRole -All | Where-Object { $_.DisplayName -in $DefinedPrivilegedRoles } | Select-Object DisplayName, RoleTemplateId, Id
Get-MgRoleManagementDirectoryRoleAssignment -All | Where-Object { $_.RoleDefinitionId -in $privilegedRoles.RoleTemplateId } -Verbose -Debug
SDK Version
2.30
Latest version known to work for scenario above?
No response
Known Workarounds
No response
Debug output
-Debug flag didn't provide additional information
Configuration
Name Value
PSVersion 7.5.2
PSEdition Core
GitCommitId 7.5.2
OS Microsoft Windows 10.0.26100
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Other information
I tried it on version 2.29 - same problem