New command: m365 entra roleassignment add

[MartinM85]

Usage

m365 entra roleassignment add [options]

Description

Assign a Entra ID role to a user and specify the scope for which the user has been granted access

Options

ption	Description
--roleDefinitionId [roleDefinitionId]	Id of a role to be assigned. Specify either roleDefinitionId or roleDefinitionName, but not both.
--roleDefinitionName [roleDefinitionName]	Name of a role to be assigned. Specify either roleDefinitionId or roleDefinitionName, but not both.
--principalId [principalId]	Id of a user to which the assignment is granted. Specify either principalId or principalName, but not both.
--principalName [principalName]	User principal name of a user to which the assignment is granted. Specify either principalId or principalName, but not both.
-s, --scope <scope>	Scope of the role assignment. Allowed values are: tenant, administrativeUnit, application, servicePrincipal.
--administrativeUnitId [administrativeUnitId]	Id of an administrative unit to which the assignment is scoped. Specify either administrativeUnitId or administrativeUnitName when scope is set to administrativeUnit.
--administrativeUnitName [administrativeUnitName]	Name of an administrative unit to which the assignment is scoped. Specify either administrativeUnitId or administrativeUnitName when scope is set to administrativeUnit.
--applicationId [applicationId]	Id of an application to which the assignment is scoped. Specify either applicationId or applicationName when scope is set to application.
--applicationName [applicationName]	Name of an application to which the assignment is scoped. Specify either applicationId or applicationName when scope is set to application.
--servicePrincipalId [servicePrincipalId]	Id of an application to which the assignment is scoped. Specify either servicePrincipalId or servicePrincipalName when scope is set to servicePrincipal.
--servicePrincipalName [servicePrincipalName]	Name of an application to which the assignment is scoped. Specify either servicePrincipalId or servicePrincipalName when scope is set to servicePrincipal.

Examples

Assign a role specified by name to a user specified by id and scope the assignment to the whole tenant

m365 entra roleassignment add --roleDefinitionName 'SharePoint Administrator' --principalId 7a2ca997-9461-402e-9882-58088a370889 --scope tenant

Assign a role specified by id to a user specified by UPN and scope the assignment to a service principal specified by id

m365 entra roleassignment add --roleDefinitionId 777b752-f9b7-4205-a2b1-5db0d6a0ccfc --principalName [email protected] --scope servicePrincipal --servicePrincipal a4738dd8-fc0f-4646-87fb-47539f5c651b

Assign a role specified by name to a user specified by id and scope the assignment to an administrative unit specified by name

m365 entra roleassignment add --roleDefinitionName 'User Administrator' --principalId 7a2ca997-9461-402e-9882-58088a370889 --scope administrativeUnit --administrativeUnitName 'Marketing'

Assign a role specified by name to a user specified by id and scope the assignment to an application specified by id

m365 entra roleassignment add --roleDefinitionName 'Application Administrator' --principalId 7a2ca997-9461-402e-9882-58088a370889 --scope application --applicationId 47539fd8-fc0f-4646-87fb-a4738d5c651b

Default properties

No response

Additional Info

https://learn.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http

All roles support the tenant wide scope, but some roles can have assignment scoped to the administrative unit, application or service principal.

I will work on it