Create a role-assignable group in Microsoft Entra ID

With Microsoft Entra ID P1 or P2, you can create role-assignable groups and assign Microsoft Entra roles to these groups. You create a new role-assignable group by setting Microsoft Entra roles can be assigned to the group to Yes or by setting the isAssignableToRole property set to true. A role-assignable group can't be of dynamic membership type and you can create a maximum of 500 groups in a single tenant.

This article describes how to create a role-assignable group using the Microsoft Entra admin center, PowerShell, or Microsoft Graph API.


For more information, see Prerequisites to use PowerShell or Graph Explorer.

Microsoft Entra admin center


Steps in this article may vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Identity > Groups > All groups.

  3. Select New group.

  4. On the New Group page, provide group type, name and description.

  5. Set Microsoft Entra roles can be assigned to the group to Yes.

    This option is visible to only Privileged Role Administrators and Global Administrators because these are only two roles that can set this option.

    Screenshot of option to make group a role-assignable group.

  6. Select the members and owners for the group. You also have the option to assign roles to the group, but assigning a role isn't required here.

  7. Select Create.

    You see the following message:

    Creating a group to which Microsoft Entra roles can be assigned is a setting that cannot be changed later. Are you sure you want to add this capability?

    Screenshot of confirm message when creating a role-assignable group.

  8. Select Yes.

    The group is created with any roles you might have assigned to it.


Use the New-MgGroup command to create a role-assignable group.

Connect-MgGraph -Scopes "Group.ReadWrite.All"
$group = New-MgGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "This group has Helpdesk Administrator built-in role assigned to it in Azure AD." -MailEnabled:$false -SecurityEnabled -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole:$true

Microsoft Graph API

Use the Create group API to create a role-assignable group.

  "description": "This group is assigned to Helpdesk Administrator built-in role of Azure AD.",
  "displayName": "Contoso_Helpdesk_Administrators",
  "groupTypes": [
  "isAssignableToRole": true,
  "mailEnabled": true,
  "securityEnabled": true,
  "mailNickname": "contosohelpdeskadministrators",
  "visibility" : "Private"

For this type of group, isPublic will always be false and isSecurityEnabled will always be true.

Next steps