Skip to main content

entra pim role assignment add

Request activation of an Entra role assignment for a user or group.

Usage

m365 entra pim role assignment add [options]

Options

-n, --roleDefinitionName [roleDefinitionName]

Name of the role definition that should be assigned. Specify either roleDefinitionName or roleDefinitionId but not both.

-i, --roleDefinitionId [roleDefinitionId]

Id of the role definition that is being assigned. Specify either roleDefinitionName or roleDefinitionId but not both.

--userId [userId]

Id of the user that will be granted the assignment. Specify either userId, userName, groupId or groupName. If not specified, the current user will be used.

--userName [userName]

UPN of the user that will be granted the assignment. Specify either userId, userName, groupId or groupName. If not specified, the current user will be used.

--groupId [groupId]

Id of the group that will be granted the assignment. Specify either userId, userName, groupId or groupName. If not specified, the current user will be used.

--groupName [groupName]

Display name of the group that will be granted the assignment. Specify either userId, userName, groupId or groupName. If not specified, the current user will be used.

--administrativeUnitId [administrativeUnitId]

Id of the administrative unit representing the scope of the assignment. Specify either administrativeUnitId or applicationId. If not specified, default scope will be tenant-wide.

--applicationId [applicationId]

Object Id of the application representing the scope of the assignment. Specify either administrativeUnitId or applicationId. If not specified, default scope will be tenant-wide.

-j, --justification [justification]

An optional justification message.

-s, --startDateTime [startDateTime]

When the assignment should start. If left out, the assignment will start from the current time.

-e, --endDateTime [endDateTime]

When the assignment should end. Specify either duration, endDateTime or noExpiration.

-d, --duration [duration]

How long the assignment should last. Write in ISO 8601 format for durations: PT3H for 3 hours. Specify either duration, endDateTime or noExpiration.

--noExpiration [noExpiration]

If specified, the role assignment will never expire. Specify either duration, endDateTime or noExpiration.

--ticketNumber [ticketNumber]

Optional ticket number value to communicate with the request.

--ticketSystem [ticketSystem]

Optional ticket system to communicate with the request.

-h, --help [help]

Output usage information. Optionally, specify which section of command's help you want to see. Allowed values are options, examples, remarks, permissions, response, full. Default is options.

--query [query]

JMESPath query string. See http://jmespath.org/ for more information and examples.

-o, --output [output]

Output type. json, text, csv, md, none. Default json.

--verbose

Runs command with verbose logging.

--debug

Runs command with debug logging.

Remarks

info

When activating a role for other users, you must be Privileged Role Administrator.

Permissions

ResourcePermissions
Microsoft GraphRoleAssignmentSchedule.ReadWrite.Directory

Examples

Request activation of the SharePoint Administrator Entra role assignment for the current user.

m365 entra pim role assignment add --roleDefinitionName 'SharePoint Administrator'

Request activation of an Entra role assignment for the current user.

m365 entra pim role assignment add --roleDefinitionId 'f1417aa3-bf0b-4cc5-a845-a0b2cf11f690'

Request activation of an Entra role assignment for the current user with a justification and max duration of 4 hours.

m365 entra pim role assignment add --roleDefinitionId 'f1417aa3-bf0b-4cc5-a845-a0b2cf11f690' --justification 'Need Global Admin to release application xyz to production' --duration 'PT4H'

Request activation of an Entra role assignment for a specified user with tenant scope.

m365 entra pim role assignment add --roleDefinitionId 'f1417aa3-bf0b-4cc5-a845-a0b2cf11f690' --userId '3488d6b8-6b2e-41c3-9583-1991205323c2'

Request activation of the User Administrator Entra role assignment for a specified group with administrative unit scope.

m365 entra pim role assignment add --roleDefinitionName 'User Administrator' --groupId '3488d6b8-6b2e-41c3-9583-1991205323c2' --administrativeUnitId '03c4c9dc-6f0c-4c4f-a4e6-0c9ed80f54c7'

Request activation of the Application Administrator Entra role assignment for a specified group with scope to a specific application.

m365 entra pim role assignment add --roleDefinitionName 'Application Administrator' --groupName 'Applications admins' --applicationId '03c4c9dc-6f0c-4c4f-a4e6-0c9ed80f54c7'

Request activation of an Entra role assignment for a specific period of two days.

m365 entra pim role assignment add --roleDefinitionName 'Global Administrator' --userName 'admin-john@contoso.com' --startDateTime '2024-01-10T09:00:00Z' --endDateTime '2024-01-11T17:00:00Z'

Request activation of an Entra role assignment with no expiration.

m365 entra pim role assignment add --roleDefinitionName 'Global Administrator' --userName 'admin-john@contoso.com' --noExpiration

Response

{
  "id": "3f7d1bd6-a9a5-45bc-b831-00cfa3e3c649",
  "status": "Provisioned",
  "createdDateTime": "2024-02-12T13:54:21.3110096Z",
  "completedDateTime": "2024-02-12T13:54:21.9847061Z",
  "approvalId": null,
  "customData": null,
  "action": "adminAssign",
  "principalId": "61b0c52f-a902-4769-9a09-c6628335b00a",
  "roleDefinitionId": "f28a1f50-f6e7-4571-818b-6a12f2af6b6c",
  "directoryScopeId": "/",
  "appScopeId": null,
  "isValidationOnly": false,
  "targetScheduleId": "3f7d1bd6-a9a5-45bc-b831-00cfa3e3c649",
  "justification": "Need SharePoint Administrator role",
  "createdBy": {
    "application": null,
    "device": null,
    "user": {
      "displayName": null,
      "id": "893f9116-e024-4bc6-8e98-54c245129485"
    }
  },
  "scheduleInfo": {
    "startDateTime": "2024-02-12T13:54:21.9847061Z",
    "recurrence": null,
    "expiration": {
      "type": "noExpiration",
      "endDateTime": null,
      "duration": null
    }
  },
  "ticketInfo": {
    "ticketNumber": null,
    "ticketSystem": null
  }
}

More information