Edit

Share via

Get-EntraUserCBAAuthorizationInfo

  • Reference
Module:
Microsoft.Entra

Retrieves authorization information for a Microsoft Entra ID user, including certificate-based authentication identifiers.

Syntax

Get-EntraUserCBAAuthorizationInfo
   [-UserId] <String>
   [-Raw]
   [<CommonParameters>]

Description

The Get-EntraUserCBAAuthorizationInfo cmdlet retrieves authorization information for a specified user in Microsoft Entra ID. This includes certificate user identifiers that are used for certificate-based authentication (CBA).

By default, the command returns a formatted object with parsed certificate details. You can use the -Raw parameter to get the unprocessed response from the Microsoft Graph API.

Get-EntraUserAuthorizationInfo is an alias of Get-EntraUserCBAAuthorizationInfo.

In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation:

  • Privileged Authentication Administrator (for Cloud-only users)
  • Hybrid Identity Administrator (for synchronized users)

Examples

Example 1: Get authorization information for a user by User Principal Name

Connect-Entra -Scopes 'User.Read.All'
Get-EntraUserCBAAuthorizationInfo -UserId '[email protected]'

Id                : aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
DisplayName       : Sawyer Miller
UserPrincipalName : [email protected]
UserType          : Member
AuthorizationInfo : @{CertificateUserIds=System.Object[]; RawAuthorizationInfo=System.Collections.Hashtable}

This command retrieves the authorization information for the user with the specified User Principal Name.

Example 2: Retrieve authorization information for a user

Connect-Entra -Scopes 'User.Read.All'
$userInfo = Get-EntraUserCBAAuthorizationInfo -UserId '[email protected]'
$userInfo.AuthorizationInfo.CertificateUserIds | Format-Table Type, TypeName, Value

Type TypeName      Value
---- --------      -----
PN   PrincipalName [email protected]
S    Subject       [email protected]

This example retrieves the authorization information.

Example 3: Extract specific certificate user IDs

Connect-Entra -Scopes 'User.Read.All'
$userInfo = Get-EntraUserCBAAuthorizationInfo -UserId '[email protected]'
$userInfo.AuthorizationInfo.CertificateUserIds | Where-Object Type -eq "PN" | Select-Object -ExpandProperty Value

[email protected]

This example retrieves the authorization information and then filters to display only the Principal Name certificate values.

Example 5: Retrieve raw API response

Connect-Entra -Scopes 'User.Read.All'
Get-EntraUserCBAAuthorizationInfo -UserId '[email protected]' -Raw

Name                           Value
----                           -----
userType                       Member
authorizationInfo              {[certificateUserIds, System.Object[]]}
id                             aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
@odata.context                 https://graph.microsoft.com/..
displayName                    Sawyer Miller
userPrincipalName              [email protected]

This command retrieves the raw, unprocessed authorization information directly from the API.

Example 6: Use the results with pipeline

Connect-Entra -Scopes 'User.Read.All'
Get-EntraUserCBAAuthorizationInfo -UserId '[email protected]' |
    Select-Object UserPrincipalName, @{
        Name = 'CertificateTypes';
        Expression = { $_.AuthorizationInfo.CertificateUserIds.Type -join ", " }
    }

UserPrincipalName            CertificateTypes
-----------------            ----------------
[email protected] PN, S

This example retrieves the authorization information and creates a custom view showing the user principal name and certificate types.

Parameters

-Raw

Indicates that the cmdlet returns the raw API response without processing. Use this parameter when you want to see the complete, unmodified response from Microsoft Graph.

Type:SwitchParameter
Aliases:RawResponse
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-UserId

Specifies the identifier of the user. This can be either a User Principal Name (UPN, email address) or a GUID (user ID).

Type:String
Aliases:ObjectId, UPN, Identity, UserPrincipalName
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

Inputs

System.String

You can pipe a string that contains a user ID or UPN to this cmdlet.

Outputs

System.Management.Automation.PSObject

By default, the cmdlet returns a custom PSObject with the following properties:

Id: The unique identifier of the user DisplayName: The display name of the user UserPrincipalName: The user principal name (email address) of the user UserType: The type of user account (for example, "Member", "Guest") AuthorizationInfo: An object containing: CertificateUserIds: An array of parsed certificate user ID objects RawAuthorizationInfo: The original authorization info from the API.

Note: When the -Raw parameter is used, the cmdlet returns the raw API response as a PSObject.

Notes

Certificate user IDs are returned in the X509 format. The common types are:

PN: Principal Name S: Subject I: Issuer SR: Serial Number SKI: Subject Key Identifier SHA1-PUKEY: SHA1 Public Key