Creating a New Azure AD Assignable Group Through PowerShell Error

Taha Ahmad 21 Reputation points
2022-02-03T22:44:04.107+00:00

The docs mention this method of creating AAD role assignable groups here https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-create-eligible and https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureadmsgroup?view=azureadps-2.0
This was tested on Azure CloudShell utilizing PSVersion 7.2.1.
Global admin was also used.

I've created a PowerShell script in order to deploy groups consistently utilizing the Microsoft Documentation. I am able to create new groups that are not assignable to Azure AD roles through the "New-AzureADMSGroup":

$analystGroup = New-AzureADMSGroup -DisplayName $analystGroupName -Description $analystGroupDescription -MailEnabled $false -MailNickname $analystGroupMailNickname -SecurityEnabled $true

Returns a successfully created group, however if I attempt to add the parameter to enable AAD role assignment "IsAssignableToRole":

$analystGroup = New-AzureADMSGroup -DisplayName $analystGroupName -Description $analystGroupDescription -MailEnabled $false -MailNickname $analystGroupMailNickname -SecurityEnabled $true -IsAssignableToRole $false

I am met with the error :
"A parameter cannot be found that matches parameter name 'IsAssignableToRole' ".

To me this indicates that the cmdlet has been updated so it is not possible to create AAD role assignable groups through PowerShell anymore. Thus, I attempted to use older versions of the AzureAD module and the AzureADPreview module. In both cases, I was still left with the same error.

Is there a way to circumvent this error or another way to create AAD role assignable groups through PowerShell?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,913 questions
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,571 Reputation points
    2022-02-04T22:10:50.577+00:00

    Hello @Taha Ahmad ,

    Thanks for reaching out.

    This is due to PowerShell limitations within Cloud Shell because currently AzureAD.Standard.Preview is the only supported module available, you can verify this by running Get-Module AzureAD* from cloud shell as shown below:

    171543-image.png

    This preview module provides most of the functionality as AzureAD public module but not all of them due to which you may experience issue. Therefore, you can try using Microsoft.Graph module as an alternative approach in this scenario to create AAD group as explained below.

    Steps:

    1) Install Microsoft.Graph from Azure cloud shell

    Install-Module -Name Microsoft.Graph

    2) Login to Azure AD

    Connect-MgGraph -Scopes Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All

    Note: You must pass these API permissions in the scope parameter along with Connect-MgGraph command.

    3) Create Security group:
    New-MgGroup -DisplayName AdminGroup -Description AdminGroup -MailEnabled:$false -SecurityEnabled:$true -MailNickname AdminGroup -IsAssignableToRole

    The following screenshot is from my test outcome:
    171506-untitled.png

    For more details: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.groups/new-mggroup?view=graph-powershell-beta

    Hope this helps.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful