Home
PowerShell
New-MgGroupAppRoleAssignment

How to assign app roles to Microsoft Entra ID groups using New-MgGroupAppRoleAssignment

Assigning new app roles to Microsoft Entra ID groups

Assigning application roles to Microsoft Entra ID groups is needed for managing access to enterprise applications and ensuring users have the right permissions. IT admins often need to configure these assignments to streamline role-based access control (RBAC) and enhance security. The New-MgGroupAppRoleAssignment PowerShell command in Microsoft Graph enables admins to assign app roles to groups, though it requires scripting expertise and manual execution.

Grant app roles to Microsoft Entra ID groups using Microsoft Graph PowerShell

Prerequisites

Before running the New-MgGroupAppRoleAssignment cmdlet, ensure the following requirements are met:

The Microsoft Graph PowerShell module is installed. If it’s not installed, use the following command:
Install-Module Microsoft.Graph -Scope CurrentUser
Connect to Microsoft Graph PowerShell with the necessary permissions to read group details:
Connect-MgGraph -Scopes "Group.Read.All"

Using the New-MgGroupAppRoleAssignment cmdlet to assign roles to Microsoft Entra ID groups

Use the New-MgGroupAppRoleAssignment cmdlet in Microsoft Graph PowerShell to assign app roles to Microsoft Entra ID groups. The syntax is as follows:


                                    New-MgGroupAppRoleAssignment 

                                    -GroupId <String> 

                                    [-ResponseHeadersVariable <String>] 

                                    [-AdditionalProperties <Hashtable>] 

                                    [-AppRoleId <String>] 

                                    [-CreatedDateTime <DateTime>] 

                                    [-DeletedDateTime <DateTime>] 

                                    [-Id <String>] 

                                    [-PrincipalDisplayName <String>] 

                                    [-PrincipalId <String>] 

                                    [-PrincipalType <String>] 

                                    [-ResourceDisplayName <String>] 

                                    [-ResourceId <String>] 

                                    [-Headers <IDictionary>] 

                                    [-ProgressAction <ActionPreference>] 

                                    [-WhatIf] 

                                    [-Confirm] 

                                    [<CommonParameters>]

Example use case and script using the New-MgGroupAppRoleAssignment cmdlet

Example: Assign an app role to a Microsoft Entra ID group


                                    New-MgGroupAppRoleAssignment -GroupId "your-group-id" ` 

                                    -PrincipalId "your-group-id" ` 

                                    -ResourceId "your-app-id" ` 

                                    -AppRoleId "your-app-role-id"

Supported parameters

The table below lists key parameters that can be used with the New-MgGroupAppRoleAssignment cmdlet to grant app roles to Microsoft Entra ID groups.

Parameters	Description
-AdditionalProperties	This specifies the additional parameters.
-AppRoleId	This is the identifier for the app role that is assigned to the principal.
-GroupId	This is the unique identifier of the group.
-CreatedDateTime	This shows the time when the app role assignment was created.
-DeletedDateTime	This shows the date and time when the object was deleted.

Challenges of using Graph PowerShell scripts to assign app roles to Microsoft Entra ID groups

Not all the Microsoft Graph capabilities have dedicated PowerShell cmdlets, and certain actions require manual API calls.
Microsoft Graph has throttling limits, which might affect the bulk operations.
IT admins have to update their PowerShell skills to keep up with the shift from Azure AD PowerShell to Microsoft Graph PowerShell.
Managing roles and permissions is difficult because some commands need higher privileges, which aren't always easy to get.

Why use ADManager Plus for management and reporting

Manage Microsoft Entra ID with an intuitive GUI, eliminating the need for PowerShell coding.
Assign various admin tasks to help desk staff without granting full admin privileges.
Streamline user provisioning and modifications with scheduled tasks and approval-based workflows.
Effortlessly handle group memberships, licensing, and permissions without PowerShell complexities.
Manage your organizational objects in bulk using CSV imports and templates.

See how ADManager Plus enables you to manage Microsoft Entra ID groups with a user-friendly, no-code interface.

Try it now for free

Assigning new app roles Microsoft Entra ID groups
Grant app roles Microsoft Entra ID groups using Microsoft Graph PowerShell
Challenges of using Graph PowerShell scripts to assign app roles Microsoft Entra ID groups
Why use ADManager Plus for management and reporting

Related features:

Related Powershell Guides: