Managing role groups in Purview is crucial for maintaining security and compliance within your organization. You can streamline this process by leveraging PowerShell, which automates tasks and saves time. With PowerShell, you can easily generate a report that outlines the role group memberships in Purview. This guide will walk you through the necessary steps to connect to Purview and create your report effectively.

Key Takeaways

• Ensure you have administrative access to Purview before generating reports. This access is crucial for managing role groups effectively.
• Install PowerShell version 5.1 and the necessary modules (CAMP and AIPService) to connect to Microsoft Purview smoothly.
• Use PowerShell scripts to automate the generation of Purview role group reports. This saves time and reduces manual errors.
• Schedule regular reports to maintain compliance and security. Automating this process helps you stay informed about role group memberships.
• Analyze report data to identify trends and potential security risks. Regular reviews ensure only authorized users have access to sensitive information.

7 Surprising Facts about Microsoft Purview Role Group Report

• Purview role groups can be enumerated and exported programmatically: you can generate a comprehensive purview role group report with PowerShell to capture membership, assigned roles, and scope in a single run.
• Role group membership isn’t always visible in the Purview UI: some nested or inherited memberships only appear when you query via PowerShell, making the report reveal hidden access paths.
• Auditing gaps can be uncovered: a purview role group report with PowerShell can show outdated or orphaned permissions that the UI overlooks, helping reduce overprivileged accounts.
• Custom roles affect reporting: role groups that include custom roles can have nonstandard permission sets that only a scripted report correctly resolves into actionable privileges.
• Cross-tenant scenarios are reportable: using PowerShell automation, you can consolidate role group reports from multiple tenants into a normalized view for governance and compliance reviews.
• Time-based change tracking is possible: by scheduling periodic purview role group report with PowerShell and storing outputs, you can track historical changes and detect unexpected privilege escalations.
• Integration with other tools is straightforward: the PowerShell-generated purview role group report can be formatted (CSV/JSON) and ingested into SIEMs, GRC platforms, or spreadsheets for automated alerting and analysis.

Prerequisites for PowerShell

Required Permissions

Before you start using PowerShell to generate reports in Purview, ensure you have the necessary permissions. You need to have administrative access to Purview. This access allows you to view and manage role groups effectively. Without these permissions, you may encounter errors when trying to execute scripts or retrieve data.

PowerShell Installation

To run PowerShell scripts, you must have PowerShell installed on your machine. The minimum version required is 5.1. If you do not have it installed, you can download it from the official Microsoft website. Additionally, you will need specific modules to connect to Microsoft Purview. The required modules are CAMP and AIPService.

Here’s a quick checklist to ensure you meet the prerequisites:

• PowerShell Version: Ensure you have at least version 5.1.
• Modules: Install the CAMP and AIPService modules.
• Admin Access: Confirm that you have administrative rights in Purview.

By meeting these prerequisites, you set yourself up for a smooth experience when generating your Purview role group report.

Summary of Steps

1. Verify your PowerShell version.
2. Install the necessary modules.
3. Confirm your administrative access in Purview.

Following these steps will prepare you to use PowerShell effectively for your reporting needs.

Connect to Microsoft Purview

Set Up Connection

To connect to Microsoft Purview using PowerShell, follow these steps:

1. Ensure you have an Azure subscription: You need a valid Azure subscription and a Microsoft Entra tenant linked to it.
2. Sign in to the Azure portal: Use your Azure account credentials to access the portal.
3. Install Azure PowerShell or Azure CLI: Make sure you have the necessary tools installed on your client machine.
4. Create a resource group: If you don’t have one, run the following command:

   New-AzResourceGroup -Name myResourceGroup -Location 'East US'
   

5. Create or deploy the Microsoft Purview account: Use this command to set up your Purview account:

   New-AzPurviewAccount
   

Following these steps will help you establish a secure connection to Microsoft Purview.

Authenticate Credentials

Once you set up the connection, you need to authenticate your credentials. Here’s how to do it:

1. Open PowerShell: Launch PowerShell on your machine.
2. Run the login command: Use the following command to log in:

   Connect-AzAccount
   

   This command prompts you to enter your Azure account credentials.
3. Verify your connection: After logging in, check if you have access to your Purview account by running:

   Get-AzPurviewAccount
   

If you encounter any issues during the connection process, consider these common errors:

• Incorrect Password: Double-check your username and password.
• PowerShell Access: Ensure your account is enabled for PowerShell.
• Network Access: Make sure TCP port 80 is open for communication with Microsoft 365.
• Module Installation: Confirm that both PowerShellGet and PackageManagement modules are installed.

By following these steps, you can successfully connect to Microsoft Purview and authenticate your credentials, paving the way for generating your role group report.

Generate Purview Role Group Report

PowerShell Script for Report Membership

To generate a Purview role group report, you can use the following PowerShell script. This script connects to Microsoft Graph and retrieves the membership of role groups. Follow these steps to create your report:

1. Connect to Microsoft Graph: Use the required scopes to access the necessary data.
2. Connect to Exchange Online: Ensure you have access to the security and compliance endpoint.
3. Retrieve Role Groups: Run the Get-RoleGroup cmdlet to find all role groups in your tenant.
4. Enumerate Membership: For each role group, identify the current membership. Distinguish between different types of Entra ID objects.
5. Update PowerShell Lists: Create lists to store details of each role assignment and role group membership.
6. Identify Unique Identifiers: Find unique identifiers that hold role assignments, such as users or service principals.
7. Gather Object Details: For each unique identifier, collect additional details like department and country.
8. Sort Information: Organize the user assignment information by object type and name for easier reporting.
9. Generate HTML Report: Create an HTML report that includes details of each active role group and its membership.

Here’s a sample PowerShell script that implements these steps:

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Group.Read.All"

# Get role groups
$roleGroups = Get-RoleGroup

# Initialize lists
$roleGroupMemberships = @()

foreach ($group in $roleGroups) {
    $members = Get-RbacGroupMember -GroupId $group.Id
    foreach ($member in $members) {
        $roleGroupMemberships += [PSCustomObject]@{
            RoleGroupName = $group.DisplayName
            MemberName    = $member.DisplayName
            MemberType    = $member.ObjectType
        }
    }
}

# Generate HTML report
$roleGroupMemberships | ConvertTo-Html -Property RoleGroupName, MemberName, MemberType -Title "Purview Role Group Membership Report" | Out-File "PurviewRoleGroupReport.html"

This script will help you generate a comprehensive report on the membership of role groups in Purview.

Understanding Output Data

After running the PowerShell script, you will receive an HTML report detailing the membership of role groups. Here’s how to interpret the output data:

• Role Group Name: This column shows the name of each role group.
• Member Name: This column lists the names of users or service principals that belong to each role group.
• Member Type: This indicates whether the member is a user, service principal, or another type of Entra ID object.

By analyzing this data, you can gain insights into the role group memberships within your organization. This information is crucial for ensuring proper role-based access control (RBAC) and maintaining security compliance.

Keep in mind that the accuracy of the membership displayed in the report depends on the current state of your Purview environment. Regularly updating your scripts and reports will help you stay informed about any changes in role group memberships.

Best Practices for Reporting

Schedule Regular Reports

To maintain compliance and security, you should schedule regular reports on Purview role groups. Regular reporting helps you stay informed about who holds compliance roles and ensures that your organization adheres to security policies. Here are some steps to help you schedule these reports effectively:

1. Use PowerShell Cmdlets: Leverage PowerShell cmdlets to automate the report generation process. You can create a script that runs at specified intervals.
2. Set Up Task Scheduler: Utilize Windows Task Scheduler to run your PowerShell script automatically. This ensures that you receive updated reports without manual intervention.
3. Choose Report Formats: Save your reports in secure formats like .PDF. This protects sensitive information and makes it easier to share with authorized users.

Tip: Always apply the least privilege principle when granting access to reports. This minimizes the risk of unauthorized access.

Analyze Report Data

Once you generate your reports, analyzing the data becomes crucial. Understanding the membership of compliance role groups helps you identify potential security risks. Here are some strategies for effective analysis:

• Review Membership Regularly: Check who belongs to each role group. Ensure that only authorized users have access to sensitive data. Key role groups include Purview Administrators and Data Source Administrators.
• Identify Trends: Look for patterns in role group memberships. This can help you spot unusual activity or changes that may require further investigation.
• Document Findings: Keep a record of your analysis. This documentation can serve as evidence for compliance audits and help you track changes over time.

By following these best practices, you can enhance your reporting process and ensure that your organization remains compliant with Microsoft 365 compliance standards.

In this guide, you learned how to generate a Purview role group report using PowerShell. You connected to Microsoft Purview, authenticated your credentials, and executed a PowerShell script to retrieve role group memberships.

Regular reporting is vital for maintaining security and compliance. It helps you monitor access and identify potential risks.

I encourage you to integrate this process into your workflows. Doing so will enhance your organization's security posture and ensure compliance with industry standards.

FAQ

What is Microsoft Purview?

Microsoft Purview is a unified data governance solution that helps you manage and protect your data across various environments. It provides tools for data discovery, classification, and compliance.

Why use PowerShell for Purview reports?

Using PowerShell automates the report generation process, saving you time and reducing manual errors. It allows you to efficiently retrieve and manage role group memberships in Purview.

How often should I generate Purview role group reports?

You should generate Purview role group reports regularly, ideally monthly or quarterly. This practice helps you monitor access and maintain compliance with security policies.

What if I encounter errors while running the PowerShell script?

If you encounter errors, check your permissions, ensure all required modules are installed, and verify your connection to Microsoft Purview. Review the error messages for specific guidance.

Can I customize the report format?

Yes, you can customize the report format. Modify the PowerShell script to change the output format, such as generating CSV or PDF files, based on your needs.

purview portal and purview compliance

This FAQ focuses on generating a Purview role group report with PowerShell and explains related permissions, role management, and auditing in Microsoft Purview and Microsoft 365.

powershell module, microsoft purview permissions, and purview rbac roles

Guidance covers using the PowerShell module and Microsoft Graph PowerShell SDK to list role group members, examine built-in role definitions, and create reports for compliance and eDiscovery scenarios.

What is a purview role group report with powershell and why would I create one?

A Purview role group report with PowerShell is a generated list (CSV or JSON) of role groups, the role assignments (purview rbac roles and built-in role mappings), and role group members across Microsoft Purview solutions and Microsoft 365 services. You create one to audit role permissions, verify who has privileged role access (global administrator role or administrator role), support compliance reviews, eDiscovery cases, or to feed into change control and insider risk management permissions reviews.

Which powershell module do I use to generate a report for microsoft purview role groups?

Use a combination of modules depending on your environment: Microsoft Graph PowerShell SDK to query Microsoft Purview portal role assignments and role group members, and the Exchange Online Management Module or Security & Compliance modules for some Microsoft 365 and eDiscovery-specific role groups. Microsoft sometimes documents examples on Microsoft Learn for purview data and purview compliance portal tasks.

What permissions do I need to run a purview role group report with powershell?

You typically need elevated roles such as a global administrator role or a delegated administrator role with role management capabilities, or specific Microsoft Purview permissions like administrative roles in the purview portal (privileged role or administrator role). For some queries, being assigned the Organization Management role group or the eDiscovery Manager role group may be required. Ensure you have consented Graph permissions when using Microsoft Graph PowerShell SDK to read role assignments and audit log entries.

How can I list role group members and their roles using microsoft graph powershell sdk?

Authenticate with delegated or app permissions that include roleManagement.read.* and Directory.Read.All, then query roleDefinitions and roleAssignments to map purview rbac roles to role groups and enumerate role group members. Export results to CSV to create a report. For Exchange Online-specific groups such as eDiscovery manager role group, you may need the Exchange Online Management Module to list role group members and content search privileges.

Can I include eDiscovery and information protection roles in the same report?

Yes. Combine data from Microsoft Purview Portal (for Microsoft Purview solutions and Microsoft Purview Data roles), Microsoft 365 services (content search, eDiscovery cases, eDiscovery manager role and eDiscovery manager role group), and Microsoft Information Protection assignments. Use multiple PowerShell modules or Graph queries to aggregate role permissions, then normalize and export them as a single report.

How do I audit changes to role groups and track role permissions over time?

Use the audit log and Azure AD sign-in and audit events (Microsoft Entra / Microsoft Entra ID) accessible via Microsoft Graph PowerShell SDK or the Purview compliance portal auditing APIs. Schedule periodic exports of role assignments and role group member lists to detect changes. Storing historical snapshots enables drift detection and supports compliance evidence collection.

What are common built-in role limitations I should watch for in purview role group reports?

Built-in role definitions can be broad (e.g., Global Administrator, Compliance Administrator) and may grant access across purview compliance, purge operations, or privileged data. A report should highlight built-in role overlaps, default role groups, and assignments that effectively grant elevated access to Microsoft Purview Data, Microsoft Defender XDR, or Microsoft 365 Copilot data. Note that some built-in roles cannot be changed but can be counted and monitored.

How do I handle role groups for delegated administration and reduce privileged role exposure?

Identify role group members assigned to privileged roles and consider using least privilege: create narrower custom roles if possible, remove unnecessary role group memberships, and use break-glass controls for emergency access. The report should flag users in organization management role group, admin role holders, and any service principals with role assignments to minimize privileged role risk.

Where can I find examples and best practices for creating these reports and automating them?

Refer to Microsoft Learn and documentation for PowerShell examples using Microsoft Graph PowerShell SDK, Exchange Online Management Module, and compliance portal APIs. Best practices include automating scheduled exports, capturing audit log entries, documenting role permissions as a set of permissions, and integrating findings with governance workflows for role management, role permissions reviews, and compliance audits.