Create a role-assignable group in Microsoft Entra ID

With Microsoft Entra ID P1 or P2, you can create role-assignable groups and assign Microsoft Entra roles to these groups. You create a new role-assignable group by setting Microsoft Entra roles can be assigned to the group to Yes or by setting the isAssignableToRole property set to true. A role-assignable group can't be of dynamic membership type and you can create a maximum of 500 groups in a single tenant.

This article describes how to create a role-assignable group using the Microsoft Entra admin center, PowerShell, or Microsoft Graph API.

Prerequisites

• Microsoft Entra ID P1 or P2 license
• Privileged Role Administrator
• Microsoft.Graph module when using Microsoft Graph PowerShell
• Azure AD PowerShell module when using Azure AD PowerShell
• Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Microsoft Entra admin center

Tip

Steps in this article may vary slightly based on the portal you start from.

1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

2. Browse to Identity > Groups > All groups.

3. Select New group.

4. On the New Group page, provide group type, name and description.

5. Set Microsoft Entra roles can be assigned to the group to Yes.

   This option is visible to only Privileged Role Administrators and Global Administrators because these are only two roles that can set this option.

   

6. Select the members and owners for the group. You also have the option to assign roles to the group, but assigning a role isn't required here.

7. Select Create.

   You see the following message:

   Creating a group to which Microsoft Entra roles can be assigned is a setting that cannot be changed later. Are you sure you want to add this capability?

   

8. Select Yes.

   The group is created with any roles you might have assigned to it.

PowerShell

Microsoft Graph PowerShell

Use the New-MgGroup command to create a role-assignable group.

Connect-MgGraph -Scopes "Group.ReadWrite.All"
$group = New-MgGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "This group has Helpdesk Administrator built-in role assigned to it in Azure AD." -MailEnabled:$false -SecurityEnabled -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole:$true

Azure AD PowerShell

Use the New-AzureADMSGroup command to create a role-assignable group.

$group = New-AzureADMSGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "This group is assigned to Helpdesk Administrator built-in role in Azure AD." -MailEnabled $false -SecurityEnabled $true -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole $true

For this type of group, isPublic will always be false and isSecurityEnabled will always be true.

Copy one group's users and service principals into a role-assignable group

#Basic set up
Install-Module -Name AzureAD
Import-Module -Name AzureAD
Get-Module -Name AzureAD

#Connect to Azure AD. Sign in as Privileged Role Administrator or Global Administrator. Only these two roles can create a role-assignable group.
Connect-AzureAD

#Input variabled: Existing group
$idOfExistingGroup = "14044411-d170-4cb0-99db-263ca3740a0c"

#Input variables: New role-assignable group
$groupName = "Contoso_Bellevue_Admins"
$groupDescription = "This group is assigned to Helpdesk Administrator built-in role in Azure AD."
$mailNickname = "contosobellevueadmins"

#Create new security group which is a role assignable group. For creating a Microsoft 365 group, set GroupTypes="Unified" and MailEnabled=$true
$roleAssignablegroup = New-AzureADMSGroup -DisplayName $groupName -Description $groupDescription -MailEnabled $false -MailNickname $mailNickname -SecurityEnabled $true -IsAssignableToRole $true

#Get details of existing group
$existingGroup = Get-AzureADMSGroup -Id $idOfExistingGroup
$membersOfExistingGroup = Get-AzureADGroupMember -ObjectId $existingGroup.Id

#Copy users and service principals from existing group to new group
foreach($member in $membersOfExistingGroup){
if($member.ObjectType -eq 'User' -or $member.ObjectType -eq 'ServicePrincipal'){
Add-AzureADGroupMember -ObjectId $roleAssignablegroup.Id -RefObjectId $member.ObjectId
}
}

Microsoft Graph API

Use the Create group API to create a role-assignable group.

POST https://graph.microsoft.com/v1.0/groups
{
  "description": "This group is assigned to Helpdesk Administrator built-in role of Azure AD.",
  "displayName": "Contoso_Helpdesk_Administrators",
  "groupTypes": [
    "Unified"
  ],
  "isAssignableToRole": true,
  "mailEnabled": true,
  "securityEnabled": true,
  "mailNickname": "contosohelpdeskadministrators",
  "visibility" : "Private"
}

For this type of group, isPublic will always be false and isSecurityEnabled will always be true.

Next steps

• Assign Microsoft Entra roles to groups
• Use Microsoft Entra groups to manage role assignments
• Troubleshoot Microsoft Entra roles assigned to groups