Share via

How to change "Microsoft entra roles" property in a group

Kyuzo88 101 Reputation points
2023-10-18T13:06:39.2466667+00:00

I have a group X of type Microsoft 365 (not dynamic) created with the property "Microsoft entra roles can be assigned" to false.

Now I need to assign a role to this group, how can I do it ?
this property can't be changed even with powershell ?

I thought of creating another group Y where then insert group X inside it, but unfortunately this is not allowed either.

The only solution I found is to create another group from scratch reinserting all the users but at this point we will have two groups with the same functionality and I don't like that.

Ideas ?

Microsoft Security | Intune | Other
Microsoft Security | Microsoft Entra | Other
0 comments
Accepted answer
  1. Domooney-MSFT 2,606 Reputation points Microsoft Employee Moderator
    2023-10-18T15:52:58.53+00:00

    Hi @Kyuzo88

    Thank you for posting your query on Microsoft Q&A.

    Unfortunately it is by design that its impossible to convert a standard group into a role assignable group, essentially it is to prevent unwanted escalation of user permissions, or group owners accidently gaining permission to grant admin permissions, we have a short note on it here -https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-faq-troubleshooting#why-do-we-enforce-creating-a-new-group-for-assigning-it-to-role---

    One possible workaround would be to create the new role assignable group and then use a PowerShell script to add all users from the previous group to the new group.

    Do let me know if you have any further queries, I would be happy to help!

    Kind Regards,

    Donal

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.