Assigning Azure AD roles using group?

EnterpriseArchitect 5,136 Reputation points

I need to create a cloud-only group called App Admins which has the Azure AD Role Application and Cloud Application Administrator role assigned to the members that are assigned manually.

What are the steps I must take and how to achieve that with the Entra ID?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,408 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,769 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,576 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Vlad Costa 935 Reputation points

    Hi There,

    Please see the steps below via Powershell and through the Azure Portal.

    1. Create a Cloud-Only Group in Azure AD (Microsoft Entra ID):
      • Use the New-AzureADGroup command in PowerShell to create a new group. The syntax is as follows:
         New-AzureADGroup -DisplayName "App Admins" -MailEnabled $false -MailNickName "appadmins" -SecurityEnabled $true
      This command creates a new security group named “App Admins”.
    2. Manually Add Members to the Group:
      • Use the Add-AzureADGroupMember command in PowerShell to add members to the group. The syntax is as follows:
         Add-AzureADGroupMember -ObjectId <GroupObjectID> -RefObjectId <UserObjectID>
      Replace <GroupObjectID> with the Object ID of the “App Admins” group and <UserObjectID> with the Object ID of the user you want to add to the group. Repeat this step for each user you want to add.
    3. Assign Azure AD Role to the Group:
    • Sign in to the Azure portal.
    • In the Search box at the top, search for the scope you want to grant access to (e.g., Subscriptions, Resource groups, or a specific resource).
      • Click Access Control (IAM).
      • Click Add > Add role assignment.
      • On the Role tab, select the “Application Administrator” and “Cloud Application Administrator” roles.
      • On the Members tab, select Group, then click Select Members.
      • Find and select the “App Admins” group, then click Next and Assign.

    Please note that you must have the necessary permissions to perform these actions.

    If you find this response helpful and it resolves your issue, please consider marking it as “Accepted” or giving it an upvote. This will help others in the community find the solution more easily.