Create a role-assignable group in Azure Active Directory

You can only assign a role to a group that was created with the ‘isAssignableToRole’ property set to True, or was created in the Azure portal with Azure AD roles can be assigned to the group turned on. This group attribute makes the group one that can be assigned to a role in Azure Active Directory (Azure AD). This article describes how to create this special kind of group. Note: A group with isAssignableToRole property set to true cannot be of dynamic membership type. For more information, see Use Azure AD groups to manage role assignments.

Prerequisites

  • Azure AD Premium P1 or P2 license
  • Privileged Role Administrator or Global Administrator
  • AzureAD module when using PowerShell
  • Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal

  1. Sign in to the Azure portal or Azure AD admin center.

  2. Select Azure Active Directory > Groups > All groups > New group.

    Open Azure Active Directory and create a new group.

  3. On the New Group tab, provide group type, name and description.

  4. Turn on Azure AD roles can be assigned to the group. This switch is visible to only Privileged Role Administrators and Global Administrators because these are only two roles that can set the switch.

    Make the new group eligible for role assignment

  5. Select the members and owners for the group. You also have the option to assign roles to the group, but assigning a role isn't required here.

    Add members to the role-assignable group and assign roles.

  6. After the members and owners are specified, select Create.

    The Create button is at the bottom of the page.

The group is created with any roles you might have assigned to it.

PowerShell

Create a group that can be assigned to role

$group = New-AzureADMSGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "This group is assigned to Helpdesk Administrator built-in role in Azure AD." -MailEnabled $true -SecurityEnabled $true -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole $true

For this type of group, isPublic will always be false and isSecurityEnabled will always be true.

Copy one group's users and service principals into a role-assignable group

#Basic set up
Install-Module -Name AzureAD
Import-Module -Name AzureAD
Get-Module -Name AzureAD

#Connect to Azure AD. Sign in as Privileged Role Administrator or Global Administrator. Only these two roles can create a role-assignable group.
Connect-AzureAD

#Input variabled: Existing group
$idOfExistingGroup = "14044411-d170-4cb0-99db-263ca3740a0c"

#Input variables: New role-assignable group
$groupName = "Contoso_Bellevue_Admins"
$groupDescription = "This group is assigned to Helpdesk Administrator built-in role in Azure AD."
$mailNickname = "contosobellevueadmins"

#Create new security group which is a role assignable group. For creating a Microsoft 365 group, set GroupTypes="Unified" and MailEnabled=$true
$roleAssignablegroup = New-AzureADMSGroup -DisplayName $groupName -Description $groupDescription -MailEnabled $false -MailNickname $mailNickname -SecurityEnabled $true -IsAssignableToRole $true

#Get details of existing group
$existingGroup = Get-AzureADMSGroup -Id $idOfExistingGroup
$membersOfExistingGroup = Get-AzureADGroupMember -ObjectId $existingGroup.Id

#Copy users and service principals from existing group to new group
foreach($member in $membersOfExistingGroup){
if($member.ObjectType -eq 'User' -or $member.ObjectType -eq 'ServicePrincipal'){
Add-AzureADGroupMember -ObjectId $roleAssignablegroup.Id -RefObjectId $member.ObjectId
}
}

Microsoft Graph API

Create a role-assignable group in Azure AD

POST https://graph.microsoft.com/beta/groups
{
  "description": "This group is assigned to Helpdesk Administrator built-in role of Azure AD.",
  "displayName": "Contoso_Helpdesk_Administrators",
  "groupTypes": [
    "Unified"
  ],
  "isAssignableToRole": true,
  "mailEnabled": true,
  "securityEnabled": true,
  "mailNickname": "contosohelpdeskadministrators",
  "visibility" : "Private"
}

For this type of group, isPublic will always be false and isSecurityEnabled will always be true.

Next steps