Skip to main content

entra roleassignment add

Assign a Entra ID role to a user and specify the scope for which the user has been granted access

Usage

m365 entra roleassignment add [options]

Options

--roleDefinitionId [roleDefinitionId]

Id of a role to be assigned. Specify either roleDefinitionId or roleDefinitionName, but not both.

--roleDefinitionName [roleDefinitionName]

Name of a role to be assigned. Specify either roleDefinitionId or roleDefinitionName, but not both.

--principal <principal>

Id of a user, group or service principal or user principal name or group mail nickname to which the assignment is granted.

--userId [userId]

Id of a user to which the assignment is scoped.

--userName [userName]

User principal name of a user to which the assignment is scoped.

--administrativeUnitId [administrativeUnitId]

Id of an administrative unit to which the assignment is scoped.

--administrativeUnitName [administrativeUnitName]

Name of an administrative unit to which the assignment is scoped.

--applicationId [applicationId]

Id of an application to which the assignment is scoped.

applicationObjectId [applicationObjectId]

Object Id of an application to which the assignment is scoped.

--applicationName [applicationName]

Name of an application to which the assignment is scoped.

--servicePrincipalId [servicePrincipalId]

Id of a service principal to which the assignment is scoped.

--servicePrincipalName [servicePrincipalName]

Name of a service principal to which the assignment is scoped.

--groupId [groupId]

Id of a group to which the assignment is scoped.

--groupName [groupName]

Name of a group to which the assignment is scoped.

-h, --help [help]

Output usage information. Optionally, specify which section of command's help you want to see. Allowed values are options, examples, remarks, permissions, response, full. Default is options.

--query [query]

JMESPath query string. See http://jmespath.org/ for more information and examples.

-o, --output [output]

Output type. json, text, csv, md, none. Default json.

--verbose

Runs command with verbose logging.

--debug

Runs command with debug logging.

Permissions

ResourcePermissions
Microsoft GraphRoleManagement.ReadWrite.Directory

Examples

Assign a role specified by name to a user specified by id and scope the assignment to the whole tenant

m365 entra roleassignment add --roleDefinitionName 'SharePoint Administrator' --principal 7a2ca997-9461-402e-9882-58088a370889

Assign a role specified by id to a user specified by UPN and scope the assignment to a service principal specified by id

m365 entra roleassignment add --roleDefinitionId 777b752-f9b7-4205-a2b1-5db0d6a0ccfc --principal john.doe@contoso.com --servicePrincipalId a4738dd8-fc0f-4646-87fb-47539f5c651b

Assign a role specified by name to a group specified by mail nickname and scope the assignment to an administrative unit specified by name

m365 entra roleassignment add --roleDefinitionName 'User Administrator' --principal 'contoso-group' --administrativeUnitName 'Marketing'

Assign a role specified by name to a service principal specified by id and scope the assignment to an application specified by id

m365 entra roleassignment add --roleDefinitionName 'Application Administrator' --principal ab2ca997-9461-402e-9882-58088a370889 --applicationId 47539fd8-fc0f-4646-87fb-a4738d5c651b

Response

{
  "id": "s4awkmfj8k64aR3hKPuYbhaRP4kk4MZLjphUwkUSlIU-1",
  "principalId": "3844129d-f748-4c03-8165-4412ee9b4ceb",
  "directoryScopeId": "/",
  "roleDefinitionId": "92b086b3-e367-4ef2-b869-1de128fb986e"
}

More information