Assign Azure AD roles to users

To grant access to users in Azure Active Directory (Azure AD), you assign Azure AD roles. A role is a collection of permissions. This article describes how to assign Azure AD roles using the Azure portal and PowerShell.

Prerequisites

  • Privileged Role Administrator or Global Administrator
  • Azure AD Premium P2 license when using Privileged Identity Management (PIM)
  • AzureADPreview module when using PowerShell
  • Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal

Follow these steps to assign Azure AD roles using the Azure portal. Your experience will be different depending on whether you have Azure AD Privileged Identity Management (PIM) enabled.

Assign a role

  1. Sign in to the Azure portal or Azure AD admin center.

  2. Select Azure Active Directory > Roles and administrators to see the list of all available roles.

    Roles and administrators page in Azure Active Directory.

  3. Select a role to see its assignments.

    To help you find the role you need, use Add filters to filter the roles.

  4. Select Add assignments and then select the users you want to assign to this role.

    If you see something different from the following picture, you might have PIM enabled. See the next section.

    Add assignments pane for selected role.

  5. Select Add to assign the role.

Assign a role using PIM

If you have Azure AD Privileged Identity Management (PIM) enabled, you have additional role assignment capabilities. For example, you can make a user eligible for a role or set the duration. When PIM is enabled, there are two ways that you can assign roles using the Azure portal. You can use the Roles and administrators page or the PIM experience. Either way uses the same PIM service.

Follow these steps to assign roles using the Roles and administrators page. If you want to assign roles using the Privileged Identity Management page, see Assign Azure AD roles in Privileged Identity Management.

  1. Sign in to the Azure portal or Azure AD admin center.

  2. Select Azure Active Directory > Roles and administrators to see the list of all available roles.

    Roles and administrators page in Azure Active Directory when PIM enabled.

  3. Select a role to see its eligible, active, and expired role assignments.

    To help you find the role you need, use Add filters to filter the roles.

  4. Select Add assignments.

  5. Select No member selected and then select the users you want to assign to this role.

    Add assignments page and Select a member pane with PIM enabled.

  6. Select Next.

  7. On the Setting tab, select whether you wan to make this role assignment Eligible or Active.

    An eligible role assignment means that the user must perform one or more actions to use the role. An active role assignment means that the user doesn't have to perform any action to use the role. For more information about what these settings mean, see PIM terminology.

    Add assignments page and Setting tab with PIM enabled.

  8. Use the remaining options to set the duration for the assignment.

  9. Select Assign to assign the role.

PowerShell

Follow these steps to assign Azure AD roles using PowerShell.

Setup

  1. Open a PowerShell window and use Import-Module to import the AzureADPreview module. For more information, see Prerequisites to use PowerShell or Graph Explorer.

    Import-Module -Name AzureADPreview -Force
    
  2. In a PowerShell window, use Connect-AzureAD to sign in to your tenant.

    Connect-AzureAD
    
  3. Use Get-AzureADUser to get the user you want to assign a role to.

    $user = Get-AzureADUser -Filter "userPrincipalName eq 'user@contoso.com'"
    

Assign a role

  1. Use Get-AzureADMSRoleDefinition to get the role you want to assign.

    $roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Billing Administrator'"
    
  2. Use New-AzureADMSRoleAssignment to assign the role.

    $roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId
    

Assign a role as eligible using PIM

If PIM is enabled, you have additional capabilities, such as making a user eligible for a role assignment or defining the start and end time for a role assignment. These capabilities use a different set of PowerShell commands. For more information about using PowerShell and PIM, see PowerShell for Azure AD roles in Privileged Identity Management.

  1. Use Get-AzureADMSRoleDefinition to get the role you want to assign.

    $roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Billing Administrator'"
    
  2. Use Get-AzureADMSPrivilegedResource to get the privileged resource. In this case, your tenant.

    $aadTenant = Get-AzureADMSPrivilegedResource -ProviderId aadRoles
    
  3. Use New-Object to create a new AzureADMSPrivilegedSchedule object to define the start and end time of the role assignment.

    $schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
    $schedule.Type = "Once"
    $schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
    $schedule.EndDateTime = "2021-07-25T20:00:00.000Z"
    
  4. Use Open-AzureADMSPrivilegedRoleAssignmentRequest to assign the role as eligible.

    $roleAssignmentEligible = Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -ResourceId $aadTenant.Id -RoleDefinitionId $roleDefinition.Id -SubjectId $user.objectId -Type 'AdminAdd' -AssignmentState 'Eligible' -schedule $schedule -reason "Review billing info"
    

Microsoft Graph API

Follow these instructions to assign a role using the Microsoft Graph API in Graph Explorer.

Assign a role

In this example, a security principal with objectID f8ca5a85-489a-49a0-b555-0a6d81e56f0d is assigned the Billing Administrator role (role definition ID b0f54661-2d74-4c50-afa3-1ec803f12efe) at tenant scope. If you want to see the list of immutable role template IDs of all built-in roles, see Azure AD built-in roles.

  1. Sign in to the Graph Explorer.
  2. Select POST as the HTTP method from the dropdown.
  3. Select the API version to beta.
  4. Use the roleAssignments API to assign roles. Add following details to the URL and Request Body and select Run query.
POST https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments
Content-type: application/json

{ 
    "@odata.type": "#microsoft.graph.unifiedRoleAssignment",
    "roleDefinitionId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
    "principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
    "directoryScopeId": "/"
}

Assign a role using PIM

In this example, a security principal with objectID f8ca5a85-489a-49a0-b555-0a6d81e56f0d is assigned a time-bound eligible role assignment to Billing Administrator (role definition ID b0f54661-2d74-4c50-afa3-1ec803f12efe) for 180 days.

  1. Sign in to the Graph Explorer.
  2. Select POST as the HTTP method from the dropdown.
  3. Select the API version to beta.
  4. Add following details to the URL and Request Body and select Run query.
POST https://graph.microsoft.com/beta/rolemanagement/directory/roleEligibilityScheduleRequests

Content-type: application/json

{
    "action": "AdminAssign",
    "justification": "for managing admin tasks",
    "directoryScopeId": "/",
    "principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
    "roleDefinitionId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
    "scheduleInfo": {
        "startDateTime": "2021-07-15T19:15:08.941Z",
        "expiration": {
            "type": "AfterDuration",
            "duration": "PT180D"
        }
    }
}

In the following example, a security principal is assigned a permanent eligible role assignment to Billing Administrator.

POST https://graph.microsoft.com/beta/rolemanagement/directory/roleEligibilityScheduleRequests

Content-type: application/json

{
    "action": "AdminAssign",
    "justification": "for managing admin tasks",
    "directoryScopeId": "/",
    "principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
    "roleDefinitionId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
    "scheduleInfo": {
        "startDateTime": "2021-07-15T19:15:08.941Z",
        "expiration": {
            "type": "NoExpiration"
        }
    }
}

To activate the role assignment, use the following API.

POST https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleRequests

Content-type: application/json

{
    "action": "SelfActivate",
    "justification": "activating role assignment for admin privileges",
    "roleDefinitionId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
    "directoryScopeId": "/",
    "principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d"
}

Next steps