Share via

Directory roles vs role management (unified roles) in entra id

Gurkirat Singh 60 Reputation points
2025-01-23T20:20:47.0066667+00:00

While learning the Entra ID and RBAC through graph api, I came across two terms DirectoryRole and RoleManagement. I have some questions on it.

  1. What is difference between role template and role definition?
  2. In the following screenshot, RoleDefinition and RoleTemplate are considered sameScreenshot_20250123_005212.png
  3. What is difference between Get-MgDirectoryRoleMember and Get-MgRoleManagementDirectoryRoleAssignment, similarity the difference between Get-MgDirectoryRole and Get-MgRoleManagementDirectoryRoleDefinition?
  4. What does it mean by activated roles? How can a role be activated or deactivated in Entra ID?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
0 comments
Accepted answer
  1. Vasil Michev 119.9K Reputation points MVP Volunteer Moderator
    2025-01-24T08:31:13.8833333+00:00

    The set of *-MgRoleManagementDirectoryRole cmdlets correspond to newer implementation, the so-called "Unified RBAC API". Take a look at the note in this article for example: https://learn.microsoft.com/en-us/graph/api/resources/directoryrole?view=graph-rest-1.0

    Microsoft recommends that you use the unified RBAC API instead of this API. The unified RBAC API provides more functionality and flexibility. For more information, see unifiedRoleDefinition resource type.

    The underlying role definitions/templates are the same, but the "new" API covers more scenarios, and it's the preferred method. You should focus your studies on it.

    And yes, roles (templates) can be activated. It's a way for Microsoft to minimize the overhead of having 100+ Entra roles...

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.