Related features:

Related Powershell Guides:

How to create a directory role assignment in Entra ID using Microsoft Graph PowerShell

The New-MgRoleManagementDirectoryRoleAssignment cmdlet creates a new directory role assignment in Microsoft Entra ID (previously Azure AD). This allows you to programmatically assign administrative roles to users or service principals.

Create directory role assignments using Microsoft Graph PowerShell

Prerequisites

  • Before using the cmdlet, ensure that the Microsoft Graph PowerShell module is installed. If not, install it using this PowerShell command:
    Install-Module Microsoft.Graph -Scope CurrentUser
  • Also, use the following PowerShell command to connect to Microsoft Graph with the required permissions (e.g., RoleManagement.ReadWrite.Directory):
    Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"

Using the New-MgRoleManagementDirectoryRoleAssignment cmdlet

Run the Graph PowerShell command below to create a new role assignment. Replace <role-id> with the role you want to assign, and <user-or-sp-id> with the user or service principal ID:

New-MgRoleManagementDirectoryRoleAssignment -DirectoryRoleId <role-id> -PrincipalId <user-or-sp-id>

Examples

Example 1: Assign the Global Administrator role to a user

This Graph PowerShell command assigns the Global Administrator role to a user:

New-MgRoleManagementDirectoryRoleAssignment -DirectoryRoleId "role-id" -PrincipalId "user-id"

Example 2: Assign a custom role to a service principal

This Graph PowerShell command assigns a custom administrative role to a service principal:

New-MgRoleManagementDirectoryRoleAssignment -DirectoryRoleId "custom-role-id" -PrincipalId "sp-id"

Example 3: Assign a role with a custom description

This Graph PowerShell command assigns a role and includes a description for the assignment:

New-MgRoleManagementDirectoryRoleAssignment -DirectoryRoleId "role-id" -PrincipalId "user-id" -Description "Temporary assignment for project"

Supported parameters

The following are some essential parameters that can be used along with the New-MgRoleManagementDirectoryRoleAssignment command:

Parameters Description
-DirectoryRoleId The role to be assigned
-PrincipalId The user or service principal being assigned the role
-Description (Optional) Custom description for the assignment
-ResourceScopeId (Optional) Scope of the assignment, if applicable
-WhatIf Shows what would happen if the cmdlet ran, without executing it

Limitations of using Microsoft Graph PowerShell to create directory role assignments

  • PowerShell commands can get complicated with different use cases and scenarios.
  • IT admins can spend a lot of time debugging errors, which in turn negatively impacts productivity.
  • Delegation can get tricky since technicians require elevated permissions.

How ADManager Plus helps you manage Microsoft Entra ID

ADManager Plus, an identity governance and administration solution with comprehensive Microsoft Entra ID management and reporting capabilities, simplifies complex admin tasks from a single, user-friendly console:

Perform script-free Microsoft Entra ID management and reporting with ADManager Plus

Try it now for free
 
  • Create directory role assignments using Microsoft Graph PowerShell
  • Examples
  • Supported parameters
  • Limitations of using Microsoft Graph PowerShell to create directory role assignments
  • How ADManager Plus helps you manage Microsoft Entra ID
The one-stop solution to Active Directory Management and Reporting
Highlights AD Management Active Directory Reports Exchange Management Popular products
Email Download Link Email the ADManager Plus download link