Usage
m365 entra administrativeunit roleassignment add
Description
Assign a Microsoft Entra role with administrative unit scope to a user
Options
| Option |
Description |
-i, --administrativeUnitId [administrativeUnitId] |
The id of the administrative unit. Specify either administrativeUnitId or administrativeUnitName. |
-n, --administrativeUnitName [administrativeUnitName] |
The name of the administrative unit. Specify either administrativeUnitId or administrativeUnitName. |
--roleDefinitionId [roleDefinitionId] |
The id of the role definition that the member is in. Specify either roleDefinitionId or roleDefinitionName. |
--roleDefinitionName [roleDefinitionName] |
The name of the role definition that the member is in. Specify either roleDefinitionId or roleDefinitionName. |
--userId [userId] |
The id of the user that is a member of the scoped-role. Specify either userId or userName. |
--userName [userName] |
The name of the user that is a member of the scoped-role. Specify either userId or userName. |
Examples
Assign a role definition specified by id to a user specified by id for an administrative unit specified by id
m365 entra administrativeunit roleassignment add --administrativeUnitId 03c4c9dc-6f0c-4c4f-a4e6-0c9ed80f54c7 --roleDefinitionId 96e6daa0-1384-4690-9ed2-fd39b68d9e9e --userId 64131a70-beb9-4ccb-b590-4401e58446ec
Assign a role definition specified by name to a user specified by name for an administrative unit specified by name
m365 entra administrativeunit roleassignment add --administrativeUnitName 'Marketing Division' --roleDefinitionName 'User Administrator' --userName '[email protected]'
Default properties
No response
Additional Info
https://learn.microsoft.com/en-us/graph/api/administrativeunit-post-scopedrolemembers?view=graph-rest-1.0&tabs=http
The endpoint allows to set only active assignments, not eligible ones (similar for other related endpoints, like this which lists only active assignments, not eligible ones)
It seems to me that the endpoint https://learn.microsoft.com/en-us/graph/api/administrativeunit-post-scopedrolemembers?view=graph-rest-1.0&tabs=http doesn't allow to assign custom role. Better choice should be the following endpoint https://learn.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http#example-2--create-a-role-assignment-with-administrative-unit-scope
The command requires new permission RoleManagement.ReadWrite.Directory.
List of roles that can be assigned is here: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-assign-roles#roles-that-can-be-assigned-with-administrative-unit-scope, those names together with names of custom roles are possible values for the roleName option.
It's not required for the user who is assigned to a role to be a member of an administrative unit.
I will work on this
Usage
m365 entra administrativeunit roleassignment add
Description
Assign a Microsoft Entra role with administrative unit scope to a user
Options
-i, --administrativeUnitId [administrativeUnitId]administrativeUnitIdoradministrativeUnitName.-n, --administrativeUnitName [administrativeUnitName]administrativeUnitIdoradministrativeUnitName.--roleDefinitionId [roleDefinitionId]roleDefinitionIdorroleDefinitionName.--roleDefinitionName [roleDefinitionName]roleDefinitionIdorroleDefinitionName.--userId [userId]userIdoruserName.--userName [userName]userIdoruserName.Examples
Assign a role definition specified by id to a user specified by id for an administrative unit specified by id
Assign a role definition specified by name to a user specified by name for an administrative unit specified by name
Default properties
No response
Additional Info
https://learn.microsoft.com/en-us/graph/api/administrativeunit-post-scopedrolemembers?view=graph-rest-1.0&tabs=http
The endpoint allows to set only active assignments, not eligible ones (similar for other related endpoints, like this which lists only active assignments, not eligible ones)
It seems to me that the endpoint https://learn.microsoft.com/en-us/graph/api/administrativeunit-post-scopedrolemembers?view=graph-rest-1.0&tabs=http doesn't allow to assign custom role. Better choice should be the following endpoint https://learn.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http#example-2--create-a-role-assignment-with-administrative-unit-scope
The command requires new permission
RoleManagement.ReadWrite.Directory.List of roles that can be assigned is here: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-assign-roles#roles-that-can-be-assigned-with-administrative-unit-scope, those names together with names of custom roles are possible values for the
roleNameoption.It's not required for the user who is assigned to a role to be a member of an administrative unit.
I will work on this