How to create a group with assignable role and make membership eligible for this group?

Adrien Maugard 61 Reputation points


I'm using the AzureAD module and I'm trying to build 500+ groups at once for GDAP. However I have an issue with group creation.

I only want to use the Owner and Member to be Eligible to his groups, those groups already have rights and I won't use any role access for this group.

Once the group created as Role Enabled via Powershell:

New-AzureADMSGroup -DisplayName $Name -MailEnabled $false -SecurityEnabled $True -MailNickname $Name -IsAssignableToRole $true

It's not already enabled for PIM, so the querry

Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadGroups -ResourceId $Id 

Will fail because the list is empty (BTW the error message is a forbidden access, instead of no result...)

If I query a group that have been enabled for PIM via the Portal, they correctly have two Privilege role definition:
One for Member, and one for Owner.

But I cannot do this specific "enable pim for Owner and Member" in powershell.

Do you have a solution to create and attach to the group a Privileged role definition for Owner and members but not for any Azure AD Role?

All documentations are only for roles and not usefull :(

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
16,696 questions
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
1,327 questions
0 comments No comments
{count} votes

Accepted answer
  1. James Hamil 17,846 Reputation points Microsoft Employee

    Hi @Adrien Maugard , you can create a role-assignable group using PowerShell and then assign the desired Privileged Role Definitions to the group. Please try this and let me know if it works:

    1. Create a new role-assignable group using the New-AzureADMSGroup command:
    $Name = "YourGroupName"
    $roleAssignableGroup = New-AzureADMSGroup -DisplayName $Name -MailEnabled $false -SecurityEnabled $True -MailNickname $Name -IsAssignableToRole $true
    1. After creating the group, you can use the Azure portal to enable PIM for the group. Unfortunately, there is no direct PowerShell command to enable PIM for a group.
    2. Once PIM is enabled for the group, you can use the Get-AzureADMSPrivilegedRoleDefinition command to get the Privileged Role Definitions for the group:
    powershell $Id = $roleAssignableGroup.Id $privilegedRoleDefinitions = Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadGroups -ResourceId $Id
    1. You can then assign the desired Privileged Role Definitions (Owner and Member) to the group using the New-AzureADMSPrivilegedRoleAssignment command:
    foreach ($roleDefinition in $privilegedRoleDefinitions) {
        if ($roleDefinition.DisplayName -eq "Owner" -or $roleDefinition.DisplayName -eq "Member") {
            New-AzureADMSPrivilegedRoleAssignment -ResourceId $Id -RoleDefinitionId $roleDefinition.Id -SubjectId $roleAssignableGroup.Id -AssignmentState "Eligible" -ProviderId aadGroups

    This script will create a role-assignable group, enable PIM for the group, and assign the Owner and Member Privileged Role Definitions to the group. Note that you need to enable PIM for the group using the Azure portal, as there is no direct PowerShell command for this step.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,


    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful