Azure AD Differential query - Detect change in Directory role assignment for a user

0
votes

I am using differential query (AzureAD graph API) to detect changes in Azure AD from the last sync. I am getting all users, group memberships, manager changes. Only missing information is Directory Role assignment (e.g Billing administrator, SharePoint administrator etc). How can I detect a change in roles of any user?

API - https://graph.windows.net/{org}/directoryObjects?api-version=1.5&deltaLink=xxxxxttttxxxxxxxx

1
azure-active-directoryazure-ad-graph-api

1 Answers

0
votes

First, if you have enabled those Directory Roles, you can use AAD Graph API operations on directory roles to list members of those roles.

GET https://graph.windows.net/myorganization/directoryRoles/{object_id}/$links/members?api-version=1.6

But, This API can also list service principals which assigned this role.