Assigning Azure AD roles using group?

Question

I need to create a cloud-only group called App Admins which has the Azure AD Role Application and Cloud Application Administrator role assigned to the members that are assigned manually.

What are the steps I must take and how to achieve that with the Entra ID?

Answer 1

Hi There,

Please see the steps below via Powershell and through the Azure Portal.

1. Create a Cloud-Only Group in Azure AD (Microsoft Entra ID):
   • Use the New-AzureADGroup command in PowerShell to create a new group. The syntax is as follows:

      New-AzureADGroup -DisplayName "App Admins" -MailEnabled $false -MailNickName "appadmins" -SecurityEnabled $true
   

   This command creates a new security group named “App Admins”.
2. Manually Add Members to the Group:
   • Use the Add-AzureADGroupMember command in PowerShell to add members to the group. The syntax is as follows:

      Add-AzureADGroupMember -ObjectId <GroupObjectID> -RefObjectId <UserObjectID>
   

   Replace <GroupObjectID> with the Object ID of the “App Admins” group and <UserObjectID> with the Object ID of the user you want to add to the group. Repeat this step for each user you want to add.
3. Assign Azure AD Role to the Group:

• Sign in to the Azure portal.
• In the Search box at the top, search for the scope you want to grant access to (e.g., Subscriptions, Resource groups, or a specific resource).
  • Click Access Control (IAM).
  • Click Add > Add role assignment.
  • On the Role tab, select the “Application Administrator” and “Cloud Application Administrator” roles.
  • On the Members tab, select Group, then click Select Members.
  • Find and select the “App Admins” group, then click Next and Assign.

Please note that you must have the necessary permissions to perform these actions.

If you find this response helpful and it resolves your issue, please consider marking it as “Accepted” or giving it an upvote. This will help others in the community find the solution more easily.