Share via

PIM Group Eligible membership reporting

Sukhwinder Singh 46 Reputation points
2025-03-12T19:44:24.26+00:00

Hi,

We use different Entra groups which have the memberships managed via PIM. Several users are added as eligible members to those groups. I am trying to generate a report of all eligible members in all of those PIM Managed groups. I tried different options but I am unable to get a readable report which can be presented to Management.

I just need group name, member added to that and if possible when last time the group membership was activated

I can get these details from GUI but the number of groups are high so I need some automated way to achieve this

I tried using

Get-MgRoleManagementDirectoryRoleEligibilitySchedule -all : But it gave unreadable details with several GIUD's

Get-AzureADMSPrivilegedRoleAssignment -ProviderId “aadRoles” -ResourceId “” : this returned several objects but I have 1-2 users added as eligible

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,257 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 115.3K Reputation points MVP
    2025-03-13T07:57:23.8366667+00:00

    In my experience, the Get-MgBetaIdentityGovernancePrivilegedAccessGroupEligibilitySchedule cmdlet gives best results for eligible members, whereas you can get the currently assigned ones via Get-MgGroupTransitiveMember. As for getting the last time membership was activated, you will have to cover eligibilityScheduleInstances as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.