Create Directory Role Definition | Microsoft Graph PowerShell
 
 
 

Related features:

Related Powershell Guides:

How to create a directory role definition using Microsoft Graph PowerShell

The New-MgRoleManagementDirectoryRoleDefinition cmdlet is used to create a new custom role definition in Microsoft Entra ID (formerly Azure AD). Role definitions specify a collection of permissions and actions that admins can assign to users, groups, or service principals through role assignments. This cmdlet is useful when the built-in directory roles such as Global Administrator or User Administrator do not meet the organization’s exact needs. By creating custom roles, IT teams can follow the principle of least privilege, only granting users the permissions necessary for their job functions.

This article shows you how to create a directory role definition using both Microsoft Entra admin center and Microsoft Graph PowerShell:

  • M365 admin center
  • PowerShell
 

Create custom roles using Microsoft Entra admin center

Admins can create and assign custom directory roles via the portal's Roles and administrators section

  1. Go to Microsoft Entra admin center.
  2. Select Roles and administrators .
  3. Click New custom role, define permissions and scope.

Create a directory role definition using Microsoft Graph PowerShell

Prerequisites

Install Graph module with role management permissions:

Install-Module Microsoft.Graph -Scope CurrentUser Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"

Using the New-MgRoleManagementDirectoryRoleDefinition cmdlet

Run the script below by specifying role details and permission actions:

New-MgRoleManagementDirectoryRoleDefinition -DisplayName <name> -Description <desc> -Permissions <permissions-array>

Examples

Example 1: Create a read-only custom role

New-MgRoleManagementDirectoryRoleDefinition -DisplayName "ReadOnly Role" -Description "Read only access" -Permissions @(@{AllowedResourceActions=@("microsoft.directory/*/read")})

Example 2: Create a role allowing user password resets

New-MgRoleManagementDirectoryRoleDefinition -DisplayName "Password Reset Role" -Description "Allow password resets" -Permissions @(@{AllowedResourceActions=@("microsoft.directory/users/password/reset")})

Example 3: Create a role with combined permissions

New-MgRoleManagementDirectoryRoleDefinition -DisplayName "Custom Admin" -Description "Admin with read & write" -Permissions @(@{AllowedResourceActions=@("microsoft.directory/*/read", "microsoft.directory/users/*/write")})

Supported parameters

The following essential parameters can be used along with the New-MgRoleManagementDirectoryRoleDefinition cmdlet:

Parameter Description
-DisplayName Name for the custom role (required).
-Description Descriptive summary of the custom role.
-Permissions Array of allowed resource actions or permissions (required).
-IsBuiltIn Indicates if the role is a built-in definition.
-TemplateId Template reference for role creation.

Limitations of using native tools to create custom roles

  • PowerShell commands can get complex with different use cases and scenarios.
  • IT admins can spend a lot of time troubleshooting errors, which negatively impacts productivity.
  • Delegation can get tricky since technicians require elevated permissions.

How ADManager Plus helps you manage Microsoft Entra ID

ADManager Plus, an identity governance and administration solution with comprehensive Microsoft Entra ID management and reporting capabilities, simplifies complex admin tasks from a single, user-friendly console:

Perform script-free Microsoft Entra ID management and reporting with ADManager Plus

Try it now for free
The one-stop solution to Active Directory Management and Reporting
Highlights AD Management Active Directory Reports Exchange Management Popular products
Email Download Link Email the ADManager Plus download link