# Retrieve all administrative units and loop through each one $AdministrativeUnits = Get-MgDirectoryAdministrativeUnit foreach ($AdministrativeUnit in $AdministrativeUnits) { $AUId = $AdministrativeUnit.Id $AUName = $AdministrativeUnit.DisplayName # Output Administrative Unit info with improved formatting Write-Host "========================" -ForegroundColor Yellow Write-Host "[+] Administrative Unit:" -NoNewline; Write-Host "$($AdministrativeUnit.DisplayName)" -ForegroundColor Cyan Write-Host "[+] Id:" -NoNewline; Write-Host "$($AdministrativeUnit.Id)" -ForegroundColor DarkGray Write-Host "[+] Description:" -NoNewline; Write-Host "$($AdministrativeUnit.Description)" -ForegroundColor DarkGray # Retrieve scoped role members of the administrative unit $ScopedRoleMembers = Get-MgDirectoryAdministrativeUnitScopedRoleMember -AdministrativeUnitId $AUId if ($ScopedRoleMembers.Count -eq 0) { Write-Host "[+] No scoped role members found for this Administrative Unit." -ForegroundColor Red } else { Write-Host "`n[+]Scoped Role Members:" -ForegroundColor Yellow foreach ($ScopedRoleMember in $ScopedRoleMembers) { try { # Retrieve user information directly for the scoped role member using correct property if ($ScopedRoleMember.RoleMemberInfo -and $ScopedRoleMember.RoleMemberInfo.Id) { $UserId = $ScopedRoleMember.RoleMemberInfo.Id $UserDetails = Get-MgUser -UserId $UserId -ErrorAction SilentlyContinue if ($UserDetails) { Write-Host "Name:" -NoNewline; Write-Host "$($UserDetails.DisplayName)" -ForegroundColor Green Write-Host "Email:" -NoNewline; Write-Host "$($UserDetails.UserPrincipalName)" -ForegroundColor Green # Retrieve role information for the scoped role member $RoleId = $ScopedRoleMember.RoleId $RoleDetails = Get-MgDirectoryRole -DirectoryRoleId $RoleId -ErrorAction SilentlyContinue if ($RoleDetails) { Write-Host "Role:" -NoNewline; Write-Host "$($RoleDetails.DisplayName)" -ForegroundColor Blue Write-Host "Description:" -NoNewline; Write-Host "$($RoleDetails.Description)" -ForegroundColor Blue } # Retrieve members that the scoped role member can affect $AffectedMembers = Get-MgDirectoryAdministrativeUnitMember -AdministrativeUnitId $AUId -ErrorAction SilentlyContinue if ($AffectedMembers) { Write-Host "Vulnerable Users:" -ForegroundColor Magenta $AffectedMembersTable = @() foreach ($AffectedMember in $AffectedMembers) { $AffectedUserDetails = Get-MgUser -UserId $AffectedMember.Id -ErrorAction SilentlyContinue if ($AffectedUserDetails) { $AffectedMemberObj = [PSCustomObject]@{ Name = $AffectedUserDetails.DisplayName Email = $AffectedUserDetails.UserPrincipalName } $AffectedMembersTable += $AffectedMemberObj } } $AffectedMembersTable | Format-Table -AutoSize # Summary line for privilege escalation foreach ($AffectedMember in $AffectedMembersTable) { Write-Host "[+] Summary:" -NoNewline; Write-Host "$($UserDetails.DisplayName) (Role: $($RoleDetails.DisplayName)) -> $($AffectedMember.Name) ($($AffectedMember.Email))." -ForegroundColor Yellow } } } else { Write-Host "[-]Failed to retrieve user details for ID: $UserId" -ForegroundColor Red } } else { Write-Host "[-]No valid RoleMemberInfo found for scoped role member." -ForegroundColor Red } } catch { # Suppress detailed error output, provide minimal warning Write-Host "[-]Failed to retrieve details for scoped role member." -ForegroundColor DarkYellow } } } } Write-Host "========================" -ForegroundColor Yellow Write-Host "Process completed." -ForegroundColor Cyan