New-MgBetaRoleManagementDirectoryRoleAssignment
Create a new unifiedRoleAssignment object.
Note
To view the v1.0 release of this cmdlet, view New-MgRoleManagementDirectoryRoleAssignment
Syntax
New-MgBetaRoleManagementDirectoryRoleAssignment
[-ResponseHeadersVariable <String>]
[-AdditionalProperties <Hashtable>]
[-AppScope <IMicrosoftGraphAppScope>]
[-AppScopeId <String>]
[-Condition <String>]
[-DirectoryScope <IMicrosoftGraphDirectoryObject>]
[-DirectoryScopeId <String>]
[-Id <String>]
[-Principal <IMicrosoftGraphDirectoryObject>]
[-PrincipalId <String>]
[-PrincipalOrganizationId <String>]
[-ResourceScope <String>]
[-RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
[-RoleDefinitionId <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
New-MgBetaRoleManagementDirectoryRoleAssignment
-BodyParameter <IMicrosoftGraphUnifiedRoleAssignment>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
Create a new unifiedRoleAssignment object.
Examples
Example 1: Create a role assignment with tenant scope
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
"@odata.type" = "#microsoft.graph.unifiedRoleAssignment"
roleDefinitionId = "c2cf284d-6c41-4e6b-afac-4b80928c9034"
principalId = "f8ca5a85-489a-49a0-b555-0a6d81e56f0d"
directoryScopeId = "/"
}
New-MgBetaRoleManagementDirectoryRoleAssignment -BodyParameter $params
This example will create a role assignment with tenant scope
Example 2: Create a role assignment with administrative unit scope
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
"@odata.type" = "#microsoft.graph.unifiedRoleAssignment"
roleDefinitionId = "fe930be7-5e62-47db-91af-98c3a49a38b1"
principalId = "f8ca5a85-489a-49a0-b555-0a6d81e56f0d"
directoryScopeId = "/administrativeUnits/5d107bba-d8e2-4e13-b6ae-884be90e5d1a"
}
New-MgBetaRoleManagementDirectoryRoleAssignment -BodyParameter $params
This example will### Example 2: create a role assignment with administrative unit scope
Example 3: Create a role assignment with attribute set scope
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
"@odata.type" = "#microsoft.graph.unifiedRoleAssignment"
roleDefinitionId = "58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d"
principalId = "f8ca5a85-489a-49a0-b555-0a6d81e56f0d"
directoryScopeId = "/attributeSets/Engineering"
}
New-MgBetaRoleManagementDirectoryRoleAssignment -BodyParameter $params
This example will### Example 3: create a role assignment with attribute set scope
Parameters
-AdditionalProperties
Additional Parameters
Type: | Hashtable |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AppScope
appScope To construct, see NOTES section for APPSCOPE properties and create a hash table.
Type: | IMicrosoftGraphAppScope |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AppScopeId
Identifier of the app specific scope when the assignment scope is app specific. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by a resource application only. For the entitlement management provider, use this property to specify a catalog. For example, /AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997. Supports $filter (eq, in). For example /roleManagement/entitlementManagement/roleAssignments$filter=appScopeId eq '/AccessPackageCatalog/{catalog id}'.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-BodyParameter
unifiedRoleAssignment To construct, see NOTES section for BODYPARAMETER properties and create a hash table.
Type: | IMicrosoftGraphUnifiedRoleAssignment |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Condition
.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-DirectoryScope
directoryObject To construct, see NOTES section for DIRECTORYSCOPE properties and create a hash table.
Type: | IMicrosoftGraphDirectoryObject |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-DirectoryScopeId
Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications, unlike app scopes that are defined and understood by a resource application only. Supports $filter (eq, in).
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Headers
Optional headers that will be added to the request.
Type: | IDictionary |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Id
The unique identifier for an entity. Read-only.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Principal
directoryObject To construct, see NOTES section for PRINCIPAL properties and create a hash table.
Type: | IMicrosoftGraphDirectoryObject |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-PrincipalId
Identifier of the principal to which the assignment is granted. Supported principals are users, role-assignable groups, and service principals. Supports $filter (eq, in).
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-PrincipalOrganizationId
Identifier of the home tenant for the principal to which the assignment is granted.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ProgressAction
{{ Fill ProgressAction Description }}
Type: | ActionPreference |
Aliases: | proga |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResourceScope
The scope at which the unifiedRoleAssignment applies. This is / for service-wide. DO NOT USE. This property will be deprecated soon.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResponseHeadersVariable
Optional Response Headers Variable.
Type: | String |
Aliases: | RHV |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RoleDefinition
unifiedRoleDefinition To construct, see NOTES section for ROLEDEFINITION properties and create a hash table.
Type: | IMicrosoftGraphUnifiedRoleDefinition |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RoleDefinitionId
Identifier of the unifiedRoleDefinition the assignment is for. Read-only. Supports $filter (eq, in).
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Inputs
Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphUnifiedRoleAssignment
System.Collections.IDictionary
Outputs
Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphUnifiedRoleAssignment
Notes
COMPLEX PARAMETER PROPERTIES
To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
APPSCOPE <IMicrosoftGraphAppScope>
: appScope
[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DisplayName <String>]
: Provides the display name of the app-specific resource represented by the app scope. Provided for display purposes since appScopeId is often an immutable, non-human-readable ID. Read only.[Type <String>]
: Describes the type of app-specific resource represented by the app scope. For display purposes, so a user interface can convey to the user the kind of app specific resource represented by the app scope. Read only.
BODYPARAMETER <IMicrosoftGraphUnifiedRoleAssignment>
: unifiedRoleAssignment
[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[AppScope <IMicrosoftGraphAppScope>]
: appScope[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DisplayName <String>]
: Provides the display name of the app-specific resource represented by the app scope. Provided for display purposes since appScopeId is often an immutable, non-human-readable ID. Read only.[Type <String>]
: Describes the type of app-specific resource represented by the app scope. For display purposes, so a user interface can convey to the user the kind of app specific resource represented by the app scope. Read only.
[AppScopeId <String>]
: Identifier of the app specific scope when the assignment scope is app specific. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by a resource application only. For the entitlement management provider, use this property to specify a catalog. For example, /AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997. Supports $filter (eq, in). For example /roleManagement/entitlementManagement/roleAssignments?$filter=appScopeId eq '/AccessPackageCatalog/{catalog id}'.[Condition <String>]
:[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DeletedDateTime <DateTime?>]
: Date and time when this object was deleted. Always null when the object hasn't been deleted.
[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications, unlike app scopes that are defined and understood by a resource application only. Supports $filter (eq, in).[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal to which the assignment is granted. Supported principals are users, role-assignable groups, and service principals. Supports $filter (eq, in).[PrincipalOrganizationId <String>]
: Identifier of the home tenant for the principal to which the assignment is granted.[ResourceScope <String>]
: The scope at which the unifiedRoleAssignment applies. This is / for service-wide. DO NOT USE. This property will be deprecated soon.[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[AllowedPrincipalTypes <String>]
: allowedRolePrincipalTypes[Description <String>]
: The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.[DisplayName <String>]
: The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq and startsWith).[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition-
[]>]
: Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles support this attribute.[IsBuiltIn <Boolean?>]
: Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom. Read-only. Supports $filter (eq).[IsEnabled <Boolean?>]
: Flag indicating if the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.[IsPrivileged <Boolean?>]
: Flag indicating if the role is privileged. Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects. Applies only for actions in the microsoft.directory resource namespace. Read-only. Supports $filter (eq).[ResourceScopes <String-
[]>]
: List of scopes permissions granted by the role definition apply to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.[RolePermissions <IMicrosoftGraphUnifiedRolePermission-
[]>]
: List of permissions included in the role. Read-only when isBuiltIn is true. Required.[AllowedResourceActions <String-
[]>]
: Set of tasks that can be performed on a resource.[Condition <String>]
: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-
[]>]
:
[TemplateId <String>]
: Custom template identifier that can be set when isBuiltIn is false. This identifier is typically used if one needs an identifier to be the same across different directories. Read-only when isBuiltIn is true.[Version <String>]
: Indicates the version of the unifiedRoleDefinition object. Read-only when isBuiltIn is true.
[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition the assignment is for. Read-only. Supports $filter (eq, in).
DIRECTORYSCOPE <IMicrosoftGraphDirectoryObject>
: directoryObject
[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DeletedDateTime <DateTime?>]
: Date and time when this object was deleted. Always null when the object hasn't been deleted.
PRINCIPAL <IMicrosoftGraphDirectoryObject>
: directoryObject
[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DeletedDateTime <DateTime?>]
: Date and time when this object was deleted. Always null when the object hasn't been deleted.
ROLEDEFINITION <IMicrosoftGraphUnifiedRoleDefinition>
: unifiedRoleDefinition
[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[AllowedPrincipalTypes <String>]
: allowedRolePrincipalTypes[Description <String>]
: The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.[DisplayName <String>]
: The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq and startsWith).[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition-
[]>]
: Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles support this attribute.[IsBuiltIn <Boolean?>]
: Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom. Read-only. Supports $filter (eq).[IsEnabled <Boolean?>]
: Flag indicating if the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.[IsPrivileged <Boolean?>]
: Flag indicating if the role is privileged. Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects. Applies only for actions in the microsoft.directory resource namespace. Read-only. Supports $filter (eq).[ResourceScopes <String-
[]>]
: List of scopes permissions granted by the role definition apply to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.[RolePermissions <IMicrosoftGraphUnifiedRolePermission-
[]>]
: List of permissions included in the role. Read-only when isBuiltIn is true. Required.[AllowedResourceActions <String-
[]>]
: Set of tasks that can be performed on a resource.[Condition <String>]
: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-
[]>]
:
[TemplateId <String>]
: Custom template identifier that can be set when isBuiltIn is false. This identifier is typically used if one needs an identifier to be the same across different directories. Read-only when isBuiltIn is true.[Version <String>]
: Indicates the version of the unifiedRoleDefinition object. Read-only when isBuiltIn is true.