It is common to be asked for performing a security audit on Team Foundation Server, and it is not a nightmare as it would seem…
The easiest way is to download the Audit Log. You can find it in the Access Levels administration page:
What you are going to get is a .csv file, containing all the groups and accounts allowed into Team Foundation Server, each with its unique internal URI (vstfs://…), the last access date and its access level.
These will give you all the informations about each user/group and its relationships and privileges, so wrapping their outputs and creating a very simple report is just a matter of time