Hi @Adrien Maugard , you can create a role-assignable group using PowerShell and then assign the desired Privileged Role Definitions to the group. Please try this and let me know if it works:
- Create a new role-assignable group using the
New-AzureADMSGroup
command:
$Name = "YourGroupName"
$roleAssignableGroup = New-AzureADMSGroup -DisplayName $Name -MailEnabled $false -SecurityEnabled $True -MailNickname $Name -IsAssignableToRole $true
- After creating the group, you can use the Azure portal to enable PIM for the group. Unfortunately, there is no direct PowerShell command to enable PIM for a group.
- Once PIM is enabled for the group, you can use the
Get-AzureADMSPrivilegedRoleDefinition
command to get the Privileged Role Definitions for the group:
powershell $Id = $roleAssignableGroup.Id $privilegedRoleDefinitions = Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadGroups -ResourceId $Id
- You can then assign the desired Privileged Role Definitions (Owner and Member) to the group using the
New-AzureADMSPrivilegedRoleAssignment
command:
foreach ($roleDefinition in $privilegedRoleDefinitions) {
if ($roleDefinition.DisplayName -eq "Owner" -or $roleDefinition.DisplayName -eq "Member") {
New-AzureADMSPrivilegedRoleAssignment -ResourceId $Id -RoleDefinitionId $roleDefinition.Id -SubjectId $roleAssignableGroup.Id -AssignmentState "Eligible" -ProviderId aadGroups
}
}
This script will create a role-assignable group, enable PIM for the group, and assign the Owner and Member Privileged Role Definitions to the group. Note that you need to enable PIM for the group using the Azure portal, as there is no direct PowerShell command for this step.
Please let me know if you have any questions and I can help you further.
If this answer helps you please mark "Accept Answer" so other users can reference it.
Thank you,
James