Very nice. For SDK V2, you’ll need to use Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleInstance (has anyone said that they hate the SDK cmdlet names?)

Also, you can use Get-MgGroupMember to get the group members if you want to eliminate the Azure AD module as much as possible.

I came up with another solution for PIM assignments in https://office365itpros.com/2023/07/12/privileged-identity-management-ps/. Now I guess I can add eligible assignments to the set.

What about this for getting PIM-eligible users and also expanding the PIM-eligible groups using Graph cmdlets?

# Now get the list of users and groups ELIGIBLE for the Exchange and Global Admin roles
$EligibleAssignments = Get-MgRoleManagementDirectoryRoleEligibilityScheduleInstance -ExpandProperty “*” -All
foreach ($Role in $EligibleAssignments) {
If ($Role.RoleDefinition.DisplayName -eq “Exchange Administrator” -or $Role.RoleDefinition.DisplayName -eq “Global Administrator”){
If ($Role.Principal.AdditionalProperties.’@odata.type’ -eq “#microsoft.graph.user”) {
$AdminUsers += $Role.Principal.AdditionalProperties.userPrincipalName
}
elseif ($Role.Principal.AdditionalProperties.’@odata.type’ -eq “#microsoft.graph.group”) {
$AdminUsers += Get-AzureADGroupMember -ObjectId (Get-AzureADGroup -filter “Displayname eq ‘$($Role.Principal.AdditionalProperties.displayName)'”).ObjectId | %{$_.userPrincipalName}
}
}
}

For the record, it had nothing do with modules but with the session some commands are the same in Exchange Online and on-prem on the Hybrid server.

But I found an good way to avoid it with “Import-PSSession $Session -Prefix Hybrid”

Then Set-User is for Exchange Online and Set-HybridUser is for on-prem.

There are some cmdlets in the Azure AD module that deal with PIM role assignments. They haven’t been moved to the Microsoft Graph PowerShell SDK yet. When they do, I will update the code to deal with assignments, but your workaround is as good as any for now.

Yeah I found an way to make it work with an small adjustment regarding the groups, not fool proof since the groups can change:

Adding:
#Get Users from PIM groups
ForEach ($Group in $PIMGroups)
{
[array]$Admins += Get-MgGroupMember -GroupId (Get-MgGroup -Filter “DisplayName eq ‘$Group'”).Id | Select-Object -ExpandProperty AdditionalProperties
}

Adjusting:
[array]$AdminAccounts = $GlobalAdmins.userPrincipalName + $ExoAdmins.userPrincipalName + $Admins.userPrincipalName | Sort-Object -Unique

Well, that’s a pity… we write PowerShell scripts as examples to explain principles rather than as full-fledged solutions. Feel free to develop your own script!

Normally, I use Get-Module to create an array of the loaded modules and then check if the Exchange Online module is loaded:

[array]$Modules = Get-Module | Select-Object -ExpandProperty Name
If (“ExchangeOnlineManagement” -notin $Modules) { Write-Host “Exchange Online not connected” }

Never mind I think I found an way, make sure the on-prem Exchange PS session is not loaded/connected.

I am adjusting this script so it works in an Hybrid environment.

How do I make sure it is executed in the cloud and not on-prem?