Share via

Creating Intune role assignments

Dapotter 20 Reputation points
2025-05-02T00:53:16.3433333+00:00

Could anybody share an example of a Device Management Role Assignment creation where a scope group is specified?

I am trying to use the MS Graph SDK to create Intune Role Assignments but I am encountering a generic error message:

New-MgDeviceManagementRoleAssignment_CreateExpanded: {
  "_version": 3,
  "Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 966e53c7-ecdc-47cb-a015-7b50253fcf0a - Url: https://fef.msua08.manage.microsoft.com/StatelessRoleAdministrationFEService/deviceManagement/roleAssignments?api-version=5021-08-02",
  "CustomApiErrorPhrase": "",
  "RetryAfter": null,
  "ErrorSourceService": "",
  "HttpHeaders": "{}"

The attempted syntax is $NewRoleAssignment = New-MgDeviceManagementRoleAssignment -Description $RoleAssignmentDescription -DisplayName $RoleAssignmentName -Members $lsagroup.id -ResourceScopes $group.id -RoleScopeTags $newtag -verbose -confirm Where the description/name fields are strings, and the resource Ids are strings with the id's of the corresponding objects.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,535 questions
0 comments
Accepted answer
  1. Rukmini 1,946 Reputation points Microsoft External Staff Moderator
    2025-05-07T06:31:17.85+00:00

    Hello @Dapotter, I understand that you want to create Device Management Role Assignment creation where a scope group is specified and getting the error.

    To create Intune role assignments with group scope, check the below:

    Get the Role definition ID:

    
Get-MgDeviceManagementRoleDefinition | Select-Object DisplayName, Id

    User's image

    Use the below script to create Intune role assignments with group scope:

    
Connect-MgGraph -Scopes "DeviceManagementRBAC.ReadWrite.All", "Group.Read.All", "Directory.Read.All"

# Define variables  

$roleDefinition = "RoleDefinitionID"  

$ResourceScopes = @(  

"GroupObjectID"  

)  

$Members = @(  

"UserObjectID"  

)  

  

# Placeholder values for display name and description  

$DisplayName = "Test Role Assignment"  

$Description = "Assigning a role for device management"  

# Create role assignment parameters  

$CreateParameters = @{  

description = $Description  

displayName = $DisplayName  

resourceScopes = $ResourceScopes  

members = $Members  

'@odata.type' = '#microsoft.graph.deviceAndAppManagementRoleAssignment'  

'******@odata.bind' = "https://graph.microsoft.com/beta/deviceManagement/roleDefinitions('$roleDefinition')" 

}  

  

# Create the role assignment  

$policy = New-MgDeviceManagementRoleAssignment -BodyParameter $CreateParameters

    Created Device Management Role Assignment successfully:

    User's image

    Able to fetch the created Device Management Role Assignments successfully:

    
Get-MgDeviceManagementRoleAssignment

    User's image

    Reference:

    PowerShell Gallery | DSCResources/MSFT_IntuneRoleAssignment/MSFT_IntuneRoleAssignment.psm1 1.23.503.1

    Hope this helps!

    If this answer was helpful, please click "Accept the answer" and mark Yes, as this can help other community members.

    User's image

    If you have any other questions or are still facing issues, feel free to post in the comments and I’ll be happy to assist further.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.