Minimum Privilege to add & remove Azure AD user via PowerShell ?

EnterpriseArchitect 4,741 Reputation points
2022-07-19T01:49:42.76+00:00

People,

What's the required minimum Azure AD role to allow the user to run the Get-AzRoleAssignment?

The user is already part of the Azure AD User Administrator role.

https://learn.microsoft.com/en-US/microsoft-365/admin/add-users/about-admin-roles?WT.mc_id=365AdminCSH_inproduct&view=o365-worldwide#commonly-used-microsoft-365-admin-center-roles

But not sure, why the simple command above is throwing an error when trying to execute the command: 

Get-AzRoleAssignment -SignInName 'unknown.user@domain.com'

This is the error I get: 

Get-AzRoleAssignment : The term 'Get-AzRoleAssignment' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path  
was included, verify that the path is correct and try again.  
At C:\script1.ps1:43 char:55  
+                 Get-AzRoleAssignment -SignInName $U ...  
+                                   ~~~~~~~~~~~~~~~~~~~~  
    + CategoryInfo          : ObjectNotFound: (Get-AzRoleAssignment:String) [], CommandNotFoundException  
    + FullyQualifiedErrorId : CommandNotFoundException

Any help would be greatly appreciated.

Thanks!

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,114 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,465 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dillon Silzer 54,466 Reputation points
    2022-07-19T02:37:48.913+00:00

    Hello @EnterpriseArchitect

    This error looks like a missing module. You will need to perform the following commands: 

    Install-Module -Name Az.Resources  
  
Import-Module -Name Az.Resources

    Cited from https://techcommunity.microsoft.com/t5/azure-virtual-desktop/the-term-new-azroleassignment-is-not-recognized-as-the-name-of-a/m-p/1508936

    -----------------------------

    If this helps please mark as correct answer.

    1 person found this answer helpful.
  2. Alfredo Revilla - Senior Freelance SWE, SWA, IAM 27,016 Reputation points
    2022-07-19T07:04:20.583+00:00

    Hello @EnterpriseArchitect , as pointed by @Dillon Silzer , it looks like the PowerShell module is not installed. Moving forward, User Administrator is good enough to get users data, however you will need additional roles to get data of service principals (Application Administrator or Owner), groups (Groups Administrator) and directory objects (Directory Readers/Writes).

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

    1 person found this answer helpful.