How to create a group with assignable role and make membership eligible for this group?

Adrien Maugard 81 Reputation points
2023-09-07T15:23:33.09+00:00

Hello

I'm using the AzureAD module and I'm trying to build 500+ groups at once for GDAP. However I have an issue with group creation.

I only want to use the Owner and Member to be Eligible to his groups, those groups already have rights and I won't use any role access for this group.

Once the group created as Role Enabled via Powershell:

New-AzureADMSGroup -DisplayName $Name -MailEnabled $false -SecurityEnabled $True -MailNickname $Name -IsAssignableToRole $true

It's not already enabled for PIM, so the querry

Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadGroups -ResourceId $Id 

Will fail because the list is empty (BTW the error message is a forbidden access, instead of no result...)

If I query a group that have been enabled for PIM via the Portal, they correctly have two Privilege role definition:
One for Member, and one for Owner.

But I cannot do this specific "enable pim for Owner and Member" in powershell.

Do you have a solution to create and attach to the group a Privileged role definition for Owner and members but not for any Azure AD Role?

All documentations are only for roles and not usefull :(

PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,458 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,375 questions
0 comments No comments
{count} votes

Accepted answer
  1. James Hamil 24,311 Reputation points Microsoft Employee
    2023-09-08T19:25:23.6166667+00:00

    Hi @Adrien Maugard , you can create a role-assignable group using PowerShell and then assign the desired Privileged Role Definitions to the group. Please try this and let me know if it works:

    1. Create a new role-assignable group using the New-AzureADMSGroup command:
    $Name = "YourGroupName"
    $roleAssignableGroup = New-AzureADMSGroup -DisplayName $Name -MailEnabled $false -SecurityEnabled $True -MailNickname $Name -IsAssignableToRole $true
    
    
    
    1. After creating the group, you can use the Azure portal to enable PIM for the group. Unfortunately, there is no direct PowerShell command to enable PIM for a group.
    2. Once PIM is enabled for the group, you can use the Get-AzureADMSPrivilegedRoleDefinition command to get the Privileged Role Definitions for the group:
    powershell $Id = $roleAssignableGroup.Id $privilegedRoleDefinitions = Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadGroups -ResourceId $Id
    
    1. You can then assign the desired Privileged Role Definitions (Owner and Member) to the group using the New-AzureADMSPrivilegedRoleAssignment command:
    
    foreach ($roleDefinition in $privilegedRoleDefinitions) {
        if ($roleDefinition.DisplayName -eq "Owner" -or $roleDefinition.DisplayName -eq "Member") {
            New-AzureADMSPrivilegedRoleAssignment -ResourceId $Id -RoleDefinitionId $roleDefinition.Id -SubjectId $roleAssignableGroup.Id -AssignmentState "Eligible" -ProviderId aadGroups
        }
    }
    

    This script will create a role-assignable group, enable PIM for the group, and assign the Owner and Member Privileged Role Definitions to the group. Note that you need to enable PIM for the group using the Azure portal, as there is no direct PowerShell command for this step.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.