role assignment powershell azure

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications You must be signed in to change notification settings

tutorial-role-assignments-group-powershell.md

Latest commit, file metadata and controls.

Tutorial: Grant a group access to Azure resources using Azure PowerShell

Azure role-based access control (Azure RBAC) is the way that you manage access to Azure resources. In this tutorial, you grant a group access to view everything in a subscription and manage everything in a resource group using Azure PowerShell.

In this tutorial, you learn how to:

[!div class="checklist"] Grant access for a group at different scopes List access Remove access

If you don't have an Azure subscription, create a free account before you begin.

[!INCLUDE az-powershell-update ]

Prerequisites

To complete this tutorial, you will need:

• Permissions to create groups in Microsoft Entra ID (or have an existing group)
• Azure Cloud Shell
• Microsoft Graph PowerShell SDK

Role assignments

In Azure RBAC, to grant access, you create a role assignment. A role assignment consists of three elements: security principal, role definition, and scope. Here are the two role assignments you will perform in this tutorial:

Create a group

To assign a role, you need a user, group, or service principal. If you don't already have a group, you can create one.

In Azure Cloud Shell, create a new group using the New-MgGroup command.

If you don't have permissions to create groups, you can try the Tutorial: Grant a user access to Azure resources using Azure PowerShell instead.

Create a resource group

You use a resource group to show how to assign a role at a resource group scope.

Get a list of region locations using the Get-AzLocation command.

Select a location near you and assign it to a variable.

Create a new resource group using the New-AzResourceGroup command.

Grant access

To grant access for the group, you use the New-AzRoleAssignment command to assign a role. You must specify the security principal, role definition, and scope.

Get the object ID of the group using the Get-MgGroup command.

Save the group object ID in a variable.

Get the ID of your subscription using the Get-AzSubscription command.

Save the subscription scope in a variable.

Assign the Reader role to the group at the subscription scope.

Assign the Contributor role to the group at the resource group scope.

List access

To verify the access for the subscription, use the Get-AzRoleAssignment command to list the role assignments.

In the output, you can see that the Reader role has been assigned to the RBAC Tutorial Group at the subscription scope.

To verify the access for the resource group, use the Get-AzRoleAssignment command to list the role assignments.

In the output, you can see that both the Contributor and Reader roles have been assigned to the RBAC Tutorial Group. The Contributor role is at the rbac-tutorial-resource-group scope and the Reader role is inherited at the subscription scope.

(Optional) List access using the Azure Portal

To see how the role assignments look in the Azure portal, view the Access control (IAM) blade for the subscription.

View the Access control (IAM) blade for the resource group.

Remove access

To remove access for users, groups, and applications, use Remove-AzRoleAssignment to remove a role assignment.

Use the following command to remove the Contributor role assignment for the group at the resource group scope.

Use the following command to remove the Reader role assignment for the group at the subscription scope.

Clean up resources

To clean up the resources created by this tutorial, delete the resource group and the group.

Delete the resource group using the Remove-AzResourceGroup command.

When asked to confirm, type Y . It will take a few seconds to delete.

Delete the group using the Remove-MgGroup command.

If you receive an error when you try to delete the group, you can also delete the group in the portal.

[!div class="nextstepaction"] Assign Azure roles using Azure PowerShell

Manage Azure Role Assignments Like a Pro with PowerShell

Today’s blog post is a little bit different. I have a couple of examples of how you can use PowerShell snippets and simple commandlets to get or set role assignmnets in your Azure Subscriptions.

PowerShell examples for managing Azure Role assignments

List all role assignments in a subscription, get all role assignments for a specific resource group, get all role assignments for a specific user, add a role assignment to a user, remove a role assignment for a user, remove all role assignments for a specific user, list all built-in roles, list all custom roles, create a custom role, update a custom role, delete a custom role, list all users or groups assigned to a specific role, list all permissions granted by a specific role, list all resource groups that a user has access to, create a role assignment for a service principal, powershell script to manage azure role assignments.

And now there is a script that combines some of these examples into one usable function:

I hope this was useful. Let me know if you liked the format of this blog and if you want me to include more of these examples.

Vukasin Terzic

Recent Update

• Writing your first Azure Terraform Configuration
• Transition from ARM Templates to Terraform with AI
• Getting started with Terraform for Azure
• Terraform Configuration Essentials: File Types, State Management, and Provider Selection
• Dynamically Managing Azure NSG Rules with PowerShell

Trending Tags

Retrieve azure resource group cost with powershell api.

The Future Of Azure Governance: Trends and Predictions

Further Reading

In my previous blog posts, I wrote about how simple PowerShell scripts can help speed up daily tasks for Azure administrators, and how you can convert them to your own API. One of these tasks is...

Azure Cost Optimization: 30 Ways to Save Money and Increase Efficiency

As organizations continue to migrate their applications and workloads to the cloud, managing and controlling cloud costs has become an increasingly critical issue. While Azure provides a robust s...

Custom PowerShell API for Azure Naming Policy

To continue our PowerShell API series, we have another example of a highly useful API that you can integrate into your environment. Choosing names for Azure resources can be a challenging task. ...

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Tutorial: Grant a user access to Azure resources using Azure PowerShell

• 6 contributors

Azure role-based access control (Azure RBAC) is the way that you manage access to Azure resources. In this tutorial, you grant a user access to view everything in a subscription and manage everything in a resource group using Azure PowerShell.

In this tutorial, you learn how to:

• Grant access for a user at different scopes

List access

Remove access.

If you don't have an Azure subscription, create a free account before you begin.

We recommend that you use the Azure Az PowerShell module to interact with Azure. To get started, see Install Azure PowerShell . To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az .

Prerequisites

To complete this tutorial, you will need:

• Permissions to create users in Microsoft Entra ID (or have an existing user)
• Azure Cloud Shell
• Microsoft Graph PowerShell SDK

Role assignments

In Azure RBAC, to grant access, you create a role assignment. A role assignment consists of three elements: security principal, role definition, and scope. Here are the two role assignments you will perform in this tutorial:

Create a user

To assign a role, you need a user, group, or service principal. If you don't already have a user, you can create one.

In Azure Cloud Shell, create a password that complies with your password complexity requirements.

Create a new user for your domain using the New-MgUser command.

Create a resource group

You use a resource group to show how to assign a role at a resource group scope.

Get a list of region locations using the Get-AzLocation command.

Select a location near you and assign it to a variable.

Create a new resource group using the New-AzResourceGroup command.

Grant access

To grant access for the user, you use the New-AzRoleAssignment command to assign a role. You must specify the security principal, role definition, and scope.

Get the ID of your subscription using the Get-AzSubscription command.

Save the subscription scope in a variable.

Assign the Reader role to the user at the subscription scope.

Assign the Contributor role to the user at the resource group scope.

To verify the access for the subscription, use the Get-AzRoleAssignment command to list the role assignments.

In the output, you can see that the Reader role has been assigned to the RBAC Tutorial User at the subscription scope.

To verify the access for the resource group, use the Get-AzRoleAssignment command to list the role assignments.

In the output, you can see that both the Contributor and Reader roles have been assigned to the RBAC Tutorial User. The Contributor role is at the rbac-tutorial-resource-group scope and the Reader role is inherited at the subscription scope.

(Optional) List access using the Azure Portal

To see how the role assignments look in the Azure portal, view the Access control (IAM) blade for the subscription.

View the Access control (IAM) blade for the resource group.

To remove access for users, groups, and applications, use Remove-AzRoleAssignment to remove a role assignment.

Use the following command to remove the Contributor role assignment for the user at the resource group scope.

Use the following command to remove the Reader role assignment for the user at the subscription scope.

Clean up resources

To clean up the resources created by this tutorial, delete the resource group and the user.

Delete the resource group using the Remove-AzResourceGroup command.

When asked to confirm, type Y . It will take a few seconds to delete.

Delete the user using the Remove-MgUser command.

Assign Azure roles using Azure PowerShell

Was this page helpful?

Additional resources

Martin's Blog

Azure AD: Assign administrator roles with PowerShell

Martin Schoombee

March 2, 2021

Working with PowerShell always brings up a few interesting gotchas, as things are not always what they seem at the surface. I guess you could say that for any development tool out there, but somehow it happens every time I need to do something with PowerShell. Case in point, you would think that assigning an administrator role would be a simple call to one cmdlet…but things are never quite that simple :-/

If you look at the Azure AD Roles and administrators page in the Azure portal, you see a long list of administrator roles you can assign to users (or service principals). Compare that to the list returned by the Get-AzureADDirectoryRole cmdlet however and you only see a small subset.

What’s happening here?

The part that’s not necessarily clear from the documentation is that the Azure portal shows a list of available roles (or templates). It seems obvious enough that this would be the case in the portal, as you may not have assigned all of these roles to users yet and you would expect a complete list. But as you can see from the PowerShell results, the fun starts when you think you could just get the role and assign it to a user. How can you assign a role if you can’t get to its object id? How do you get a list of all of the available roles in PowerShell?

After digging for some time you (me) stumble across this gem, the Get-AzureADDirectoryRoleTemplate cmdlet which returns all of the available roles (or templates). Eureka!! Let’s use this object id and assign it to a user with the following snippet…

Not so fast…you get an error saying that the role doesn’t exist…and we know this from what we’ve seen earlier, but it still isn’t clear how we would be able to get an object id to assign.

The solution

The solution is buried underneath many levels of documentation and hours of searching/experimenting:

• Attempt to get the administrator role, using the Get-AzureADDirectoryRole cmdlet.
• If the first step doesn’t return anything, it means that the role has probably never been assigned to a user and we have to enable it in our tenant first. Get the template for the role with the Get-AzureADDirectoryRoleTemplate cmdlet.
• Once you have the template, enable it with the Enable-AzureADDirectoryRole cmdlet. This will create an instance of the role within your tenant, with its own unique object id.
• Now you’ll be able to get to the role and its object id with the Get-AzureADDirectoryRole cmdlet.
• Assign the role to the user (or service principal).

I wish the PowerShell documentation was a bit more explicit in cases like these. Adding a simple comment or two to the documentation of the Get-AzureADDirectoryRole cmdlet will certainly help avoid the hours of confusion and searching…

Want to download the PowerShell script to assign administrative roles? Get it from my GitHub repo.

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on LinkedIn (Opens in new window)
• Click to email a link to a friend (Opens in new window)

3 thoughts on “ Azure AD: Assign administrator roles with PowerShell ”

Nice article, but even though the role I am trying to assign is enabled, the script did not work, and I did receive the same error message… I think the issue is that you are using the cmdlet Get-AzureADDirectoryRoleTemplate, whereas you should be using Get-AzureADDirectoryRole!!! However, that did not do the trick for me…

What does Get-AzureADDirectoryRole return?

An instance of a DirectoryRole class, whereas Get-AzureADDirectoryRoleTemplate returns a DirectoryRoleTemplate I believe. Moreover, when I inspect both objects, I can clearly see that the ObjectId is accurate when using Get-AzureADDirectoryRole and can actually be mapped to the role I want to fetch. The same does not happen when I use Get-AzureADDirectoryRoleTemplate.

Leave a Reply Cancel reply

Powered by WordPress.com .

Discover more from Martin's Blog

Subscribe now to keep reading and get access to the full archive.

Type your email…

Continue reading

• Active Directory Reporting
• Office 365 Reporting
• Azure AD Monitoring
• Managing Azure AD Roles and Permissions with PowerShell

• August 24, 2023

Managing Azure AD Roles and Permissions with PowerShell. Do you need help managing and automating Azure AD Roles and Permissions with Windows PowerShell? This article explains the typical scenarios for automating Azure Role Based Access Control (RBAC) using PowerShell.

To lay the foundation and prepare to manage Azure roles and permissions, we start with an overview of Azure role-based access control (RBAC). Following that, we explain the three elements of role assignment.

There is also a section that explains the prerequisites for managing Azure AD roles and permissions with Windows PowerShell.

The next sections are dedicated to explaining the steps for assigning Azure AD roles using PowerShell. 

Finally, we explain how to list roles assigned to users and groups using PowerShell.

Also Read  Azure AD Privileged Roles: Manage & Monitor Privileged Access

What is Azure Role-Based Access Control (RBAC)

Azure role based access control (RBAC) allows administrators to do fine grained access control to resources. In other words, Azure RBAC allows admins to control who has access to resources.

Additionally, RBAC controls the level of access to resources in Azure.  

At the core of RBAC is role assignments. Azure has hundreds of built-in roles with pre-defined permissions that are assigned to users, groups, or service principals . 

The existence of built-in roles with pre-defined permissions makes role assignments easy, as admins do not have to grant permissions to objects directly. 

However, there are instances where the built-in roles may not be suitable for an organization’s needs. In this situation, custom roles are created. 

This article covers the steps to assign existing roles and also create and assign custom Azure AD roles. 

Azure Role Assignment Elements

Assigning role assignments involves 3 elements – security principal, role definition, and scope. The security principal is the Azure Active Directory object to be assigned the role.

On the other hand, the role definition is the built-in or custom Azure AD role that is being assigned while the scope is level the role is assigned. There are 4 scopes of that roles are assigned in Azure.

Specifically, Azure roles are assigned to a resource, a resource group, a subscription, and a management group. To assign a role to a resource, you require the resource ID.

However, assigning a role to a resource group scope requires the name of the resource group. Running the Get-AzResourceGroup command returns all resource groups, including their names in the current subscription.

If assigning a role at the subscription scope, you need the subscription ID. To list all subscriptions in the tenant, run the Get-AzSubscription command.

Finally, roles are assigned a management group scope which requires the name of the management group. To get the name of a management group, run the Get-AzManagementGroup command.

Understanding these elements is important to managing Azure AD roles and permissions  with PowerShell. In the remaining part of the article, we explore how the security principal, role definition, and scope are used to assign and manage roles in Azure AD using PowerShell.

Also Read  Deploy InfraSOS Office 365 Reporting SaaS Tool and enjoy a Complete Control

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free .  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Prerequisites for Managing Azure AD Roles and Permissions with PowerShell

Before an admin assigns roles, they must meet the following requirements:

• The user must be assigned the roles with Microsoft.Authorization/roleAssignments/write permissions. Sole roles with this permission are User Access Administrator , Owner, or Global Administrator. 
• Secondly, you require access to Azure Cloud Shell or Azure PowerShell. 
• The user account running the PowerShell commands must have the the Microsoft Graph Directory.Read.All permission. 
• Finally, to perform some of the tasks in this article, your account requires a minimum Azure AD Premium P1 license .

As we progress in this article, we explain the steps to assign these permissions as required. 

Also Read  Azure AD Roles & Privileges: Azure AD RBAC Model

Steps to Assign Built-in Azure AD Roles Using PowerShell

I’ll be running the PowerShell commands in this and subsequent sections from Azure Cloud Shell , a browser-based shell that allows running Azure CLI or PowerShell commands . However, I’ll be running the commands from my computer. 

If you click the cloud shell link above and sign in with your Azure account, it displays a screen like the one in the screenshot below. The benefit of Azure Cloud Shell is that it does not require installing any PowerShell modules on your PC. 

Step 1: Determine the Object ID

You need to get the object ID before assigning a role to an Azure resource. Follow these steps to determine the object ID for a user, group, or subscription. 

1. Open the Azure Cloud Shell – shell.azure.com and sign in with your Azure account.

If you’re opening Azure Cloud Shell for the first time, it requires you to create a storage account.

2. Run the commands below to get the ID of the user or group you need to assign a role. In the first command, I an returning the ID of a user that begins with 

The first command saves the ID of the user in the userid variable, while the second one saves the group ID of the group to the grouped variable. Before running the commands remember to change the UserPrincipalName and the DisplayName. 

Also Read  Azure AD Custom Roles: Create & Manage Custom Roles for Azure AD

Step 2: Get the Role to Assign

The next step for managing Azure AD roles and permissions with PowerShell is determining the role to assign. Start by listing all the available roles in your Azure AD tenant using the following command.

The command displays the Name , and Id of all roles in the tenant. Additionally, it returns True or False in the IsCustom column. 

To demonstrate, I want to assign the Security Admin role to the user and group I determined in Step 1. To display the name of the role, I pipe the output of the Get-AzRoleDefinition command to Where-Object as shown in this command. 

Step 3: Identify the Role to Assignment Scope

The command below returns the ResourceID of a storage account (resource scope) and saves it in the ResourceID variable. 

Later, I assign the user in step 1 the “Security Admin” role in this storage account resource. 

Also Read  Azure AD Role-Based Access Control Best Practices: How to Use Azure AD Roles and Privileges Effectively

Step 4: Assign the Azure Role

Using the information in steps 1 to 3, run the command below to assign the role to the user. Before running the command, the role is not assigned to this storage account, as shown in the screenshot below. 

The first command assigns the “Security Admin” role to a user saved in the $userid variable. Similarly, the second command assigns the same role to a group saved in the $groupid variable. 

After running the above commands, refreshing the storage accounts displays the Security Admin role, and the user and group assigned the role. 

Also Read  Implement Azure AD Role Based Access Control Policies

Display Azure AD Role Assignment Using PowerShell

Earlier, I assigned the “Security admin” role to a user with UPN, [email protected]. If you recall,  the userId for the user was saved in the $userid variable. 

Similarly, the scope ID of the storage account was saved in the $scoperesourceID variable. To display the role assignment for the user, I run the command below. 

The command displays the role assignment details, including the RoleAssignmentName, and scope. 

You display the same information for the group by running this command. 

Also Read  Office 365 Identity & Access: Manage Users & Permissions

Managing Azure AD Roles and Permissions with PowerShell Conclusion

Administering Azure roles requires knowledge of the role based access control model . Additionally, understanding Azure role assignment elements – security principal, role definition, and scope – is essential to manage role assignments with PowerShell effectively. 

Not only that, but an account assigning roles has to meet some prerequisites such as such as configuring PowerShell with the required modules and ensuring appropriate administrative privileges.

The step-by-step guide provided in this article offers a clear roadmap to follow when assigning built-in Azure AD roles using PowerShell. From determining the Object ID to identifying the scope for role assignment, each stage is meticulously outlined, facilitating a seamless and controlled role allocation process.

Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

• Free 15-Days Trial
• SaaS AD Reporting & Auditing Solution

Related posts:

• Azure AD Roles and Permissions: Assign & Manage Roles for Users & Groups
• Office 365 Identity & Access: Manage Users & Permissions
• Azure AD Custom Roles: Create & Manage Custom Roles for Azure AD
• How to Automate Azure AD RBAC Role Management with PowerShell
• Azure AD Privileged Roles: Manage & Monitor Privileged Access

• Victor Ashiedu
• No Comments

Leave a comment Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.